Home | Aruba SD-WAN Docs
Jan 13, 2023 · Perceived quality is rated on a theoretical scale of 1 to 5; the higher the number, the better the quality. Aruba EdgeConnect SD-WAN Edge ...
Using Aruba Orchestrator - . .
January ,
Using Aruba Orchestrator - . .
January ,
Copyright and Trademarks
© Copyright Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user so ware agreement, go to: Aruba EULA
Support
For product and technical support, contact support at either of the following:
. . . (toll-free in USA and Canada) +. . . www.silver-peak.com/support We are dedicated to continually improving our products and documentation. If you have suggestions or feedback for our documentation, send an e-mail to sp-techpubs@hpe.com.
Aruba EdgeConnect SD-WAN Edge Platform
T
C
Using Aruba Orchestrator - . .
What's New Orchestrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Zscaler GRE Tunnel Automation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Zscaler Supports Bandwidth Percentage in Gateway Options . . . . . . . . . . . . . . Update Now Button Added to Application Definitions . . . . . . . . . . . . . . . . . .
Getting Started Supported Browsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Guidelines for Creating Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Overview of SD-WAN Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Menu Options Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Orchestrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring > Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Health Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Alarms Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Disable Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Customize Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Alarm Severity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Alarm Recipients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Additional Alarm Indications . . . . . . . . . . . . . . . . . . . . . . . Export Alarm Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . List of Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EdgeConnect Appliance Alarms . . . . . . . . . . . . . . . . . . . Orchestrator Alarms . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring > Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Schedule and Run Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . View Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Scheduled and Historical Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring > Bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Overlay-Interface-Transport . . . . . . . . . . . . . . . . . . . . . . . . . . . . Interface Bandwidth Trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . Interface Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Application Bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using Aruba Orchestrator - . .
January ,
Application Pie Charts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Application Trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Top Talkers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Countries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tra ic Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Appliance Bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Appliance Max Bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Appliance Bandwidth Utilization . . . . . . . . . . . . . . . . . . . . . . . . . Appliance Bandwidth Trends . . . . . . . . . . . . . . . . . . . . . . . . . . . Appliance Packet Counts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tunnels Bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Show Underlays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Live View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tunnels Pie Charts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tunnel Bandwidth Trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tunnel Packet Counts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DRC Bandwidth Trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Dynamic Rate Control . . . . . . . . . . . . . . . . . . . . . . . . . . . Flows - Active and Recent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Reset or Reclassify Flows . . . . . . . . . . . . . . . . . . . . . . . . . Additional Information about Flows . . . . . . . . . . . . . . . . . . .
ECOS . Behavior Changes . . . . . . . . . . . . . . . . . . . . . ICMP/UDP Flows . . . . . . . . . . . . . . . . . . . . . . . . . . . TCP Non Accelerated Flows . . . . . . . . . . . . . . . . . . . . . TCP Accelerated Flows . . . . . . . . . . . . . . . . . . . . . . . . Outbound and Inbound . . . . . . . . . . . . . . . . . . . . . . . Appliance Flow Counts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Appliance Flow Trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tunnel Flow Counts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DSCP Bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DSCP Pie Charts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DSCP Trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tra ic Class Bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tra ic Class Pie Charts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . QoS (Shaper) Trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Shaper Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Boost Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Boost Trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Change Boost Configuration . . . . . . . . . . . . . . . . . . . . . . . . Firewall Drops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring > Tunnel Health . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Live View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Loss Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Loss Trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jitter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jitter Trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Latency Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Latency Trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Out of Order Packets Summary . . . . . . . . . . . . . . . . . . . . . . . . . . Out of Order Packets Trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mean Opinion Score (MOS) Summary . . . . . . . . . . . . . . . . . . . . . . . Mean Opinion Score (MOS) Trends . . . . . . . . . . . . . . . . . . . . . . . . Tunnels Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuration > Overlays & Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . Business Intent Overlays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SD-WAN Tra ic to Internal Subnets . . . . . . . . . . . . . . . . . . . .
Building SD-WAN Using These Interfaces . . . . . . . . . . . . . . Service Level Objective . . . . . . . . . . . . . . . . . . . . . . . . Link Bonding Policy . . . . . . . . . . . . . . . . . . . . . . . . . . QoS, Security, and Optimization . . . . . . . . . . . . . . . . . . . Breakout Tra ic to Internet and Cloud Services . . . . . . . . . . . . . Hub Versus Branch Breakout Settings . . . . . . . . . . . . . . . . Preferred Policy Order and Available Policies . . . . . . . . . . . . Break Out Locally Using These Interfaces, Available Interfaces, and
Link Selection . . . . . . . . . . . . . . . . . . . . . Apply Overlays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Interface Labels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Manage Labels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Create a Label . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Edit a Label . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Delete a Label . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Hubs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Deployment Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Map Labels to Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . LAN-side Configuration: Segments and Firewall Zones . . . . . . . . . LANside Configuration: DHCP . . . . . . . . . . . . . . . . . . . . . . WANside Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . A More Comprehensive Guide to Basic Deployments . . . . . . . . . . Bridge Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Router Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Server Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Deployment - EdgeConnect HA . . . . . . . . . . . . . . . . . . . . . . . . . . Enable EdgeConnect HA Mode . . . . . . . . . . . . . . . . . . . . . . IPSec over UDP Tunnel Configuration . . . . . . . . . . . . . . . . . . . VRRP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . LAN-side Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . Firewall Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Internet Tra ic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IPSec Pre-Shared Key Rotation . . . . . . . . . . . . . . . . . . . . . . . . . . Failure Handling and Orchestrator Reachability . . . . . . . . . . . . . Schedule IPSec Key Rotation Dialog Box . . . . . . . . . . . . . . . . . Intrusion Detection System (IDS) . . . . . . . . . . . . . . . . . . . . . . . . . Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enable or Disable IDS on Appliances . . . . . . . . . . . . . . . . . . . Enable or Disable Rules with the IDS Allow List . . . . . . . . . . . . . . Specify Tra ic to Be Inspected . . . . . . . . . . . . . . . . . . . . . . Advanced Reporting and Analytics . . . . . . . . . . . . . . . . . . . .
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
SSL Certificates Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SSL Certificates Edit Row . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SSL CA Certificates Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SSL CA Certificates Edit Row . . . . . . . . . . . . . . . . . . . . . . . . . . . . SSL for SaaS Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SSL for SaaS Edit Row . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Discovered Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Preconfigure Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Appliance Configuration Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . EC-Enterprise Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Assign a License to an Appliance . . . . . . . . . . . . . . . . . . . . . EC-Metered Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Assign a License to an Appliance . . . . . . . . . . . . . . . . . . . . . Bandwidth Usage Report . . . . . . . . . . . . . . . . . . . . . . . . . Feature License Usage Report . . . . . . . . . . . . . . . . . . . . . . . Cloud Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuration > Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Deployment Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Deployment Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Enable EdgeConnect HA . . . . . . . . . . . . . . . . . . . . . . . LAN-side Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . Map Labels to Interfaces . . . . . . . . . . . . . . . . . . . . . . . LAN-side Configuration: Segments and Firewall Zones . . . . . . . LANside Configuration: DHCP . . . . . . . . . . . . . . . . . . . . WANside Configuration . . . . . . . . . . . . . . . . . . . . . . . Interfaces Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Interfaces Edit Row . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . NAT Rules and Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . NAT Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VRRP Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VRRP Edit Row . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VRRP Tab Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . WCCP Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . WCCP Edit Row . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PPPoE Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Loopback Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Loopback Orchestration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Virtual Tunnel Interfaces (VTI) . . . . . . . . . . . . . . . . . . . . . . . . . . . VTI Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DHCP Server Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DHCP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DHCP Leases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DHCP Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DHCP Failover State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Link Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . View Aggregation Details . . . . . . . . . . . . . . . . . . . . . . . . . Modify Link Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . Add a Channel Group . . . . . . . . . . . . . . . . . . . . . . . . . Modify a Channel Group . . . . . . . . . . . . . . . . . . . . . . .
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Delete a Channel Group . . . . . . . . . . . . . . . . . . . . . . . Regions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Regional Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . View Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Edit Regions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Routing Segmentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Segment Configuration . . . . . . . . . . . . . . . . . . . . . . . . Delete a Segment . . . . . . . . . . . . . . . . . . . . . . . . . . . Management Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Management Services Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . Inter-Segment Routing and D-NAT Exceptions . . . . . . . . . . . . . . . . . . Inter-Segment S-NAT Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . BGP Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . BGP Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Add Peer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . BGP Inbound and Outbound Route Redistribution Maps . . . . . . . . . . . . BGP ASN Global Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Routes Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Route Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Edit or Add Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Add Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Import Subnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SD-WAN Fabric Route Redistribution Maps . . . . . . . . . . . . . . . . . . . . OSPF Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . OSPF Edit Row . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Add Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . OSPF Route Redistribution Maps . . . . . . . . . . . . . . . . . . . . . . . . . Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multicast Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Peer Priority Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Peer Priority Edit Row . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Admin Distance Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Admin Distance Edit Row . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Management Routes Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tunnels Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Use Passthrough Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . Tunnels Edit Row . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Use Passthrough Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . Add a Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tunnel Exception . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Schedule Auto MTU Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuration > Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DNS Proxy Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configure DNS Proxy Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . Route Policies Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Match Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Source or Destination . . . . . . . . . . . . . . . . . . . . . . . . . . . Wildcard-based Prefix Matching . . . . . . . . . . . . . . . . . . . . . .
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Route Policies Edit Row . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Match Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Source or Destination . . . . . . . . . . . . . . . . . . . . . . . . . . . Wildcard-based Prefix Matching . . . . . . . . . . . . . . . . . . . . . .
QoS Policies Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Handle and Mark DSCP Packets . . . . . . . . . . . . . . . . . . . . . . Apply DSCP Markings to Optimized (Tunnelized) Tra ic . . . . . . Apply DSCP Markings to Pass-through Tra ic . . . . . . . . . . . . Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Match Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Source or Destination . . . . . . . . . . . . . . . . . . . . . . . . . . . Wildcard-based Prefix Matching . . . . . . . . . . . . . . . . . . . . . .
QoS Policies Edit Row . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Handle and Mark DSCP Packets . . . . . . . . . . . . . . . . . . . . . . Apply DSCP Markings to Optimized (Tunnelized) Tra ic . . . . . . Apply DSCP Markings to Pass-through Tra ic . . . . . . . . . . . . Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Match Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Source or Destination . . . . . . . . . . . . . . . . . . . . . . . . . . . Wildcard-based Prefix Matching . . . . . . . . . . . . . . . . . . . . . .
Schedule QoS Map Activation . . . . . . . . . . . . . . . . . . . . . . . . . . . Optimization Policies Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Match Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Source or Destination . . . . . . . . . . . . . . . . . . . . . . . . . . . Wildcard-based Prefix Matching . . . . . . . . . . . . . . . . . . . . . . Set Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . TCP Acceleration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Optimization Policies Edit Row . . . . . . . . . . . . . . . . . . . . . . . . . . Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Match Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Source or Destination . . . . . . . . . . . . . . . . . . . . . . . . . . . Wildcard-based Prefix Matching . . . . . . . . . . . . . . . . . . . . . . Set Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . TCP Acceleration Details . . . . . . . . . . . . . . . . . . . . . . . . . . NAT Policies Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Advanced Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Match Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Source or Destination . . . . . . . . . . . . . . . . . . . . . . . . Wildcard-based Prefix Matching . . . . . . . . . . . . . . . . . . . Set Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Merge / Replace . . . . . . . . . . . . . . . . . . . . . . . . . . . . NAT Policies Edit Row . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Advanced Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Match Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Source or Destination . . . . . . . . . . . . . . . . . . . . . . . . Wildcard-based Prefix Matching . . . . . . . . . . . . . . . . . . . Set Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Inbound Port Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Security Policies Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Wildcard-based Prefix Matching . . . . . . . . . . . . . . . . . . . . . .
Security Policies Edit Row . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Wildcard-based Prefix Matching . . . . . . . . . . . . . . . . . . . . . .
Access Lists Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Match Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Wildcard-based Prefix Matching . . . . . . . . . . . . . . . . . . . . . .
Access Lists Edit Row . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Address Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Add an Address Group . . . . . . . . . . . . . . . . . . . . . . . . . . . Add a Rule to an Address Group . . . . . . . . . . . . . . . . . . . . . . Delete an Address Group . . . . . . . . . . . . . . . . . . . . . . . . . Export Address Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . Import Address Groups . . . . . . . . . . . . . . . . . . . . . . . . . . View a Single Address Group . . . . . . . . . . . . . . . . . . . . . . . Edit or Delete a Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using Address Groups in Match Criteria . . . . . . . . . . . . . . . . . . Address Group Formats . . . . . . . . . . . . . . . . . . . . . . . . . . Service Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Add a Service Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . Add a Rule to a Service Group . . . . . . . . . . . . . . . . . . . . . . . Delete a Service Group . . . . . . . . . . . . . . . . . . . . . . . . . . . Export Service Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . Import Service Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . View a Single Service Group . . . . . . . . . . . . . . . . . . . . . . . . Edit or Delete a Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using Service Groups in Match Criteria . . . . . . . . . . . . . . . . . . Shaper Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SaaS Optimization Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configure for SaaS Optimization . . . . . . . . . . . . . . . . . . . . . SaaS Optimization Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . Application Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Application Groups Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Threshold Crossing Alerts Tab . . . . . . . . . . . . . . . . . . . . . . . . . . .
ON by Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . OFF by Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . Threshold Crossing Alerts Edit Row . . . . . . . . . . . . . . . . . . . . . . . . IP SLA Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IP SLA Monitor Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . IP SLA Edit Row . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuration > Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Templates Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Template Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . System Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Auth/Radius/TACACS+ Template . . . . . . . . . . . . . . . . . . . . . . . . . Authentication and Authorization . . . . . . . . . . . . . . . . . . . . . Appliance-based User Database . . . . . . . . . . . . . . . . . . . . . . RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
What Is Recommended . . . . . . . . . . . . . . . . . . . . . . . . . . Flow Export Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Logging Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Minimum Severity Levels . . . . . . . . . . . . . . . . . . . . . . . . . Configure Remote Logging . . . . . . . . . . . . . . . . . . . . . . . . Banner Messages Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . HTTPS Certificate Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . User Management Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . Default User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . Command Line Interface Privileges . . . . . . . . . . . . . . . . . . . . DNS Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Date/Time Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Data Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SNMP Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SNMP v /v . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SNMP v . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Trap Receivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . SSL Certificates Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SSL CA Certificates Template . . . . . . . . . . . . . . . . . . . . . . . . . . . SSL for SaaS Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tunnels Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VRRP Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Peer Priority Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Route Redistribution Maps Template . . . . . . . . . . . . . . . . . . . . . . . Routes Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . BGP Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . OSPF Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Admin Distance Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Access Lists Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Match Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Source or Destination . . . . . . . . . . . . . . . . . . . . . . . . . . . Wildcard-based Prefix Matching . . . . . . . . . . . . . . . . . . . . . . Route Policies Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Why? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Match Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Source or Destination . . . . . . . . . . . . . . . . . . . . . . . . . . . Wildcard-based Prefix Matching . . . . . . . . . . . . . . . . . . . . . . Set Actions Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Where the Appliance Directs Tra ic . . . . . . . . . . . . . . . . . How Tra ic Is Managed If a Tunnel Is Down . . . . . . . . . . . . . QoS Policies Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Match Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Source or Destination . . . . . . . . . . . . . . . . . . . . . . . . . . . Wildcard-based Prefix Matching . . . . . . . . . . . . . . . . . . . . . . Handle and Mark DSCP Packets . . . . . . . . . . . . . . . . . . . . . . Apply DSCP Markings to Optimized (Tunnelized) Tra ic . . . . . . Apply DSCP Markings to Pass-through Tra ic . . . . . . . . . . . .
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Optimization Policies Template . . . . . . . . . . . . . . . . . . . . . . . . . . Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Match Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Source or Destination . . . . . . . . . . . . . . . . . . . . . . . . . . . Wildcard-based Prefix Matching . . . . . . . . . . . . . . . . . . . . . . Set Actions Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCP Acceleration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SaaS NAT Policies Template . . . . . . . . . . . . . . . . . . . . . . . . . . . .
When to NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Advanced Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Match Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Source or Destination . . . . . . . . . . . . . . . . . . . . . . . . Wildcard-based Prefix Matching . . . . . . . . . . . . . . . . . . . Set Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Merge / Replace . . . . . . . . . . . . . . . . . . . . . . . . . . . . Threshold Crossing Alerts Template . . . . . . . . . . . . . . . . . . . . . . . . ON by Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . OFF by Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . TCA Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SaaS Optimization Template . . . . . . . . . . . . . . . . . . . . . . . . . . . TIPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Security Policies Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Implicit Drop Logging . . . . . . . . . . . . . . . . . . . . . . . . . Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Wildcard-based Prefix Matching . . . . . . . . . . . . . . . . . . . . . . DNS Proxy Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Shaper Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Dynamic Rate Control . . . . . . . . . . . . . . . . . . . . . . . . . . . Management Services Template . . . . . . . . . . . . . . . . . . . . . . . . . CLI Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Session Management Template . . . . . . . . . . . . . . . . . . . . . . . . . . Apply Template Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuration > Cloud Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . AWS Transit Gateway Network Manager . . . . . . . . . . . . . . . . . . . . . Prerequisites for AWS Transit Gateway Network Manager . . . . . Orchestrator Configuration . . . . . . . . . . . . . . . . . . . . . . Microso Azure Virtual WAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . Microso Azure Prerequisites . . . . . . . . . . . . . . . . . . . . . . . Orchestrator Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . Orchestrator Configuration . . . . . . . . . . . . . . . . . . . . . . . . Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Check Point CloudGuard Connect . . . . . . . . . . . . . . . . . . . . . . . . . Subscription . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Interface Labels . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tunnel Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . LAN Subnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enabling Check Point CloudGuard Connect . . . . . . . . . . . . . Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Import and Export Subnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . Microso O ice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Zscaler Internet Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configure Zscaler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Subscription . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Interface Labels . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tunnel Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . Service Edge Override . . . . . . . . . . . . . . . . . . . . . . . . IP SLA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Country / Timezone . . . . . . . . . . . . . . . . . . . . . . . . . Gateway Options . . . . . . . . . . . . . . . . . . . . . . . . . . . Zscaler Association . . . . . . . . . . . . . . . . . . . . . . . . . . Pause Orchestration . . . . . . . . . . . . . . . . . . . . . . . . . Using Zscaler for Breakout Tra ic . . . . . . . . . . . . . . . . . . . . . Verify Zscaler Deployment . . . . . . . . . . . . . . . . . . . . . . . . .
Service Orchestration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Remote Endpoint Configuration . . . . . . . . . . . . . . . . . . . . . . Add Endpoints One at a Time . . . . . . . . . . . . . . . . . . . . Add Endpoints in Bulk . . . . . . . . . . . . . . . . . . . . . . . . Bulk Edits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Interface Labels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tunnel Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IP SLA Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Pause Orchestration (Optional) . . . . . . . . . . . . . . . . . . . . . . +BIO Breakout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Remote Endpoint Association . . . . . . . . . . . . . . . . . . . . . . . Add Tunnel Local Identifiers to Netskope . . . . . . . . . . . . . . . . . Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Set Up a New Service . . . . . . . . . . . . . . . . . . . . . . . . . . .
Deploy Cloud Hubs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Cloud Hubs in AWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create or Modify an AWS Account . . . . . . . . . . . . . . . . . . . . . Deploy a New EC-V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Remove an EC-V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . AWS Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . AWS Account Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . Create a Policy with Required Permissions . . . . . . . . . . . . . . . . Attach Policy to the Orchestrator IAM User Account . . . . . . . . . . . Download Orchestrator IAM User Account Credentials . . . . . . . . . . Create a Key Pair to Assign to EC-Vs . . . . . . . . . . . . . . . . . . . . Add the AWS Account to Orchestrator . . . . . . . . . . . . . . . . . . . AWS Deployment Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . Cloud Hubs in Azure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Create or Modify an Azure Subscription . . . . . . . . . . . . . . . . . . Deploy a New EC-V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Remove an EC-V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Azure Subscriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Add New Azure Subscription . . . . . . . . . . . . . . . . . . . . . . . Edit an Existing Azure Subscription . . . . . . . . . . . . . . . . . . . . Azure Subscription Configuration . . . . . . . . . . . . . . . . . . . . . . . . . Accept Azure Marketplace Image Terms . . . . . . . . . . . . . . . . . . Create a New App Registration . . . . . . . . . . . . . . . . . . . . . .
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Create a New Resource Group . . . . . . . . . . . . . . . . . . . . . . . Create a Custom Role . . . . . . . . . . . . . . . . . . . . . . . . . . . Assign the Custom Role to the Resource Group . . . . . . . . . . . . . . Add the Azure Subscription to Orchestrator . . . . . . . . . . . . . . . Deployment Configuration Azure . . . . . . . . . . . . . . . . . . . . . . . . . Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Administration > General Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Appliance User Accounts Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . Appliance User Accounts Edit Row . . . . . . . . . . . . . . . . . . . . . . . . Auth/RADIUS/TACACS+ Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . Authentication and Authorization . . . . . . . . . . . . . . . . . . . . . RADIUS and TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . Auth/RADIUS/TACACS+ Edit Row . . . . . . . . . . . . . . . . . . . . . . . . .
Authentication Order . . . . . . . . . . . . . . . . . . . . . . . . . Authorization Information . . . . . . . . . . . . . . . . . . . . . . Authentication and Authorization . . . . . . . . . . . . . . . . . . . . . RADIUS and TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . Date/Time Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Date/Time Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DNS (Domain Name Servers) Tab . . . . . . . . . . . . . . . . . . . . . . . . . DNS (Domain Name Servers) Edit Row . . . . . . . . . . . . . . . . . . . . . . SNMP Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SNMP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Modify SNMP Configuration . . . . . . . . . . . . . . . . . . . . . . . . SNMP v /v . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SNMP v . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Trap Receivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . Modify SNMP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . SNMP v /v . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SNMP v . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Trap Receivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Flow Export Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Custom Information Elements . . . . . . . . . . . . . . . . . . . . . . . Flow Export Edit Row . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Logging Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Severity Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Remote Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Logging Edit Row . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Log Facilities Configuration . . . . . . . . . . . . . . . . . . . . . . . . Remote Log Receivers . . . . . . . . . . . . . . . . . . . . . . . . . . . Banners Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Banners Edit Row . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HTTPS Certificate Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HTTPS Certificate Edit Row . . . . . . . . . . . . . . . . . . . . . . . . . . . . Orchestrator Reachabililty Tab . . . . . . . . . . . . . . . . . . . . . . . . . . Custom Appliance Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Administration > So ware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . So ware Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Upgrade Appliance So ware . . . . . . . . . . . . . . . . . . . . . . . . . . .
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Appliance Configuration Backup . . . . . . . . . . . . . . . . . . . . . . . . . View Configuration History . . . . . . . . . . . . . . . . . . . . . . . . . . . . Restore a Backup to an Appliance . . . . . . . . . . . . . . . . . . . . . . . . . Remove Appliance from Orchestrator . . . . . . . . . . . . . . . . . . . . . . . Remove Appliance from Orchestrator and Account . . . . . . . . . . . . . . . Administration > Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Synchronize Appliance Configuration . . . . . . . . . . . . . . . . . . . . . . . Put the Appliance in System Bypass Mode . . . . . . . . . . . . . . . . . . . . Broadcast CLI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Link Integrity Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCPPERF Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Disk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Erase Network Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Reboot or Shut Down an Appliance . . . . . . . . . . . . . . . . . . . . . . . .
Behavior During Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . Schedule an Appliance Reboot . . . . . . . . . . . . . . . . . . . . . . . . . .
Behavior During Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . Reachability Status Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Active Sessions Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Orchestrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Orchestrator > Orchestrator Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . Role Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Appliance Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Assign Roles and Appliance Access . . . . . . . . . . . . . . . . . . . . View Orchestrator Server Information . . . . . . . . . . . . . . . . . . . . . . Restart, Reboot, or Shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . Manage Orchestrator Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . Add a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multi-Factor Authentication . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Multi-Factor Authentication Through an Application . Configuring Multi-Factor Authentication Through Email . . . . . . Using Multi-Factor Authentication . . . . . . . . . . . . . . . . . . Modify User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . API Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Remote Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configure a RADIUS or TACACS+ Server . . . . . . . . . . . . . . . . . . Authenticate Using RADIUS or TACACS+ . . . . . . . . . . . . . . . Configure an OAuth Server . . . . . . . . . . . . . . . . . . . . . . . . Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Register Orchestrator as an App . . . . . . . . . . . . . . . . . . . Configure OAuth Server Properties in Orchestrator . . . . . . . . . Configure a JWT Server . . . . . . . . . . . . . . . . . . . . . . . . . . Configure a SAML Server . . . . . . . . . . . . . . . . . . . . . . . . . . SAML and Orchestrator Configuration . . . . . . . . . . . . . . . . Cloud Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Audit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Orchestration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Maintenance Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Set Maintenance Mode Using the Menu Available from the Appliance Tree Set Maintenance Mode Using the Orchestrator Menu . . . . . . . . . .
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Tunnel Settings Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . General Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IKE Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IPSec Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Orchestrator Blueprint Export . . . . . . . . . . . . . . . . . . . . . . . . . . . Brand Customization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Orchestrator > So ware & Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Upgrade Orchestrator So ware . . . . . . . . . . . . . . . . . . . . . . . . . .
Upgrade via HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Upgrade via SCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Check for Orchestrator and Appliance So ware Updates . . . . . . . . . . . . Back Up on Demand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Schedule Orchestrator Backup . . . . . . . . . . . . . . . . . . . . . . . . . . Schedule Stats Collector Backup . . . . . . . . . . . . . . . . . . . . . . . . . SMTP Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Proxy Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Orchestrator HTTPS Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . Timezone for Scheduled Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . Orchestrator Advanced Properties . . . . . . . . . . . . . . . . . . . . . . . . Change the Orchestrator Log Level . . . . . . . . . . . . . . . . . . . . . . . . Minimum Severity Levels . . . . . . . . . . . . . . . . . . . . . . . . . IP Allow List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Orchestrator Getting Started Wizard . . . . . . . . . . . . . . . . . . . . . . . Statistics Retention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Stats Collector Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create a Remote Stats Collector . . . . . . . . . . . . . . . . . . . Authenticate the Remote Stats Collector . . . . . . . . . . . . . . Configure the New Stats Collector Feature . . . . . . . . . . . . . . . . Add Remote Stats Collectors . . . . . . . . . . . . . . . . . . . . . Delete a Remote Stats Collector . . . . . . . . . . . . . . . . . . . Associate Appliances with a Remote Stats Collector . . . . . . . . Associate Appliances with the Predefined Local Stats Collector . . Enable the New Stats Collector . . . . . . . . . . . . . . . . . . . Discontinue Legacy Stats Collection . . . . . . . . . . . . . . . . . Notification Banner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Orchestrator > Aruba Central . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Aruba Central Site Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Create Aruba Central Sites in Bulk . . . . . . . . . . . . . . . . . . Create an Aruba Central Account in Orchestrator . . . . . . . . . . . . . Edit EdgeConnect to Aruba Central Site Mapping . . . . . . . . . . . . Check for Site List Updates . . . . . . . . . . . . . . . . . . . . . . . . ClearPass Policy Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Manage ClearPass Policy Manager Accounts . . . . . . . . . . . . . . . View ClearPass Policy Manager Accounts . . . . . . . . . . . . . . Add a ClearPass Policy Manager Server . . . . . . . . . . . . . . . Edit a ClearPass Policy Manager Server . . . . . . . . . . . . . . . Pause ClearPass Policy Manager Integration . . . . . . . . . . . . . . .
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Support > Technical Assistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tech Support - Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tech Support - Orchestrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . Take Action with Files . . . . . . . . . . . . . . . . . . . . . . . . . . . Log In to the Support Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitor Transfer Progress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Packet Capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Upload Local Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Create a Support Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Partition Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Remote Log Receivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HTTP Receiver Settings . . . . . . . . . . . . . . . . . . . . . . . . HTTPS Receiver Settings . . . . . . . . . . . . . . . . . . . . . . . KAFKA Receiver Settings . . . . . . . . . . . . . . . . . . . . . . . SYSLOG Receiver Settings . . . . . . . . . . . . . . . . . . . . . . WEBSOCKET Receiver Settings . . . . . . . . . . . . . . . . . . . . WebSocket Receiver Configuration . . . . . . . . . . . . . . . . . Routing Peers Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . RMA Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Run the RMA Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . Add a Backup Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . Upgrade and Downgrade . . . . . . . . . . . . . . . . . . . . . . . . . Support > User Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Alarm Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Built-in Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Support > Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Realtime Charts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Historical Charts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Appliance Charts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Internal Drop Trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Appliance Memory Trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . System Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Appliance CPU Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Appliance Crash Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Orchestrator Debug . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IPSec UDP Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Unverified Emails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Aruba EdgeConnect SD-WAN Edge Platform
UA O
- ..
This guide contains information about how to get started with Aruba Orchestrator and how to use Orchestrator to manage your Aruba EdgeConnect SD-WAN Edge Platform products.
W 'N
This page provides a brief description and links to additional information about new features in the recent Orchestrator release.
Orchestrator . .
The following features were introduced in Orchestrator . . :
Zscaler GRE Tunnel Automation
Orchestrator now supports GRE (in addition to IPsec) tunnel automation as the tunnel protocol for a specified WAN interface label. For more information, see Zscaler Internet Access.
Zscaler Supports Bandwidth Percentage in Gateway Options
In addition to bandwidth control options that use fixed amounts of bandwidth and inherit bandwidth values from parent locations, it is now possible to specify download/upload as percentages of the deployment WAN label's bandwidth. For more information, see Zscaler Internet Access.
Update Now Button Added to Application Definitions
An Update Now button now provides the ability to force an update of application definitions outside of automatic updates. For more information, see Application Definitions.
G
S
Orchestrator enables you to globally monitor performance and manage EdgeConnect (EC) appliances, whether you are configuring a WAN Optimization network (NX, VX, or VRX appliances) or an SD-WAN network (EC or EC-V appliances). On this page:
· Supported Browsers · Guidelines for Creating Passwords · Overview of SD-WAN Prerequisites
Supported Browsers
Orchestrator and the Appliance Web user interfaces support the following browsers: · Google Chrome (recommended) · Microso Edge · Mozilla Foxfire · Opera · Safari
We recommend that you use the latest version available for your browser.
Guidelines for Creating Passwords
· Passwords should be a minimum of eight characters. · There should be at least one lower case letter and one upper case letter. · There should be at least one digit. · There should be at least one special character. · Consecutive letters in the password should not be dictionary words.
Overview of SD-WAN Prerequisites
With Orchestrator, you create virtual network overlays to apply business intent to network segments. Provisioning a device is managed by applying profiles.
Using Aruba Orchestrator - . .
January ,
· Interface Labels associate each interface with a use.
LAN labels refer to tra ic type, such as VoIP, data, or replication.
WAN labels refer to the service or connection type, such as MPLS, internet, or Verizon.
· Deployment Profiles configure the interfaces and map the labels to them, to characterize the appliance.
· Business Intent Overlays use the Labels specified in Deployment Profiles to define how tra ic is routed and optimized between sites. These overlays can specify preferred paths and can link bonding policies based on application, VLAN, or subnet, independent of the brand and physical routing attributes of the underlay.
This diagram shows the basic architecture and capabilities of Overlays.
Including a new appliance into the SD-WAN fabric consists of two basic steps: . Registration and discovery. A er you Accept the discovered appliance, the Configuration Wizard opens. . Provisioning. Because the wizard prompts you to select profiles, it is easier to create these ahead of time.
The following figure shows the process of installing and provisioning an appliance for SD-WAN.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Aruba EdgeConnect SD-WAN Edge Platform
MO
All of Orchestrator's monitoring and configuration options are organized into five main menu groups, or tabs, located at the top of the main screen, including the following:
· Monitoring · Configuration · Administration · Orchestrator · Support
Monitoring
The options under the Monitoring tab focus on reports related to performance, tra ic, and appliance status. Additionally, Threshold Crossing Alerts are helpful in monitoring your network.
Configuration
The options under the Configuration tab focus on how to configure Orchestrator. The options available under this menu are organized as follows:
· Overlays & Security · Networking · Templates & Policies · Cloud Services
Administration
The options under the Administration tab are related to appliance administration. They include general settings, so ware management, and tools for troubleshooting and maintenance.
Orchestrator
The options under the Orchestrator tab are used for managing Orchestrator itself. These options do not relate to managing appliances.
Using Aruba Orchestrator - . .
January ,
Support
The options under the Support tab can be used when working with Support to facilitate opening a case or providing Support with data and reports needed to troubleshoot network issues.
Monitoring
The options under Monitoring focus on performance, tra ic, and appliance status. Additionally, Threshold Crossing Alerts are helpful in monitoring your network. Categories include the following:
· Summary · Reporting · Bandwidth · Tunnel Health
Monitoring > Summary
The options under Monitoring > Summary focus on Orchestrator monitoring features, such as the Dashboard, which provides a unified display of your network; the Topology Tab, which provides a visual display of your network; the Health Map, which provides a high-level view of your network's health; and the Alarms Tab, which provides details about both appliance and Orchestrator alarms. The Alarms topic also provides a detailed list of alarms related to EdgeConnect appliances and Orchestrator.
Dashboard
Monitoring > Summary > Dashboard The Dashboard integrates information from multiple components--or widgets--into a unified display for monitoring your network. It displays appliance license information, topology, health map, top talkers, top domains, and so forth, on one tab. The collection of widgets are customizable and persist for each user account.
· Click Settings [ ] to select the widgets you want to show or hide. · To move widgets, drag them by title. · To access more detail in its corresponding tab, click a widget's title. · To filter on various widgets, select Src or Dest, Overlay or Underlay, or Inbound or Outbound.
The filter varies depending on the widget you are selecting. · You can choose and change the grouping variable for Overlay-Transport and Overlay-Interface
by clicking Flip. · The Appliance Licenses widget displays an inventory by appliance model, as well as license
type, availability, and usage.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· To search for appliances in the tree, enter an appliance name and the tag will be displayed above the tree.
· To filter collections of appliances, select Show Tags and select from among the tag options.
Topology
Monitoring > Summary > Topology The Topology tab provides a visual summary of your Silver Peak network. When configuring a so ware-defined WAN (SD-WAN), you can view All Overlays, individual Business Intent Overlays (BIOs), or the single and bonded Underlay tunnels that support them.
You can access it under Monitoring in the menu bar, or by clicking the widget title on the Dashboard tab. Topology widget on Dashboard tab
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· The Legend details the appliances' management and operational states.
· The Topology map can dynamically geolocate an appliance when you enter a location (City, State, Country) in an appliance Configuration Wizard, or when you modify the appliance by right-clicking to access its contextual menu.
· The map tile renders to support variable detail at di erent zoom levels. · You can use icon grouping to visually consolidate adjacent appliances. The status bubbles up,
and you can configure relative grouping distance in the map's legend. The grouping is also a function of how far you zoom in or out. · Rolling over an individual appliance's icon displays basic system information.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
When the icon is encircled by a ring, indicating an alarm, those also display.
Health Map
Monitoring > Summary > Health Map The Health Map provides a high-level view of your network's health, based on real-time measurements of network conditions between appliances.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· View filters are available for alarms, packet loss, latency, jitter, MOS (mean opinion score), and Business Intent Overlay.
· The health map can be sorted by weekly, daily, hourly health, or tree (by group, and then alphabetical by hostname).
· Each block represents one hour and uses color coding to display the most severe event among the selected filters. Color codes correspond to alarm severity and thresholds.
Green Normal operation. Red Critical. Steps must be taken immediately in order to restore the a ected service. Orange Major. Steps must be taken as soon as possible because the a ected service has
degraded drastically. Yellow Minor. A problem that does not yet a ect service, but could if the problem is not
corrected. Aqua Warning. A potential problem that could a ect service. Grey No data available.
· Thresholds can be configured by clicking on the gear icon .
· Clicking a color block displays a pop-up with specifics about that event, what value triggered it, and any additional threshold breach for that appliance during the same hour.
· While filter and sort order customizations persist for each user account, threshold settings apply globally.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· Threshold settings are not retroactive. Setting new thresholds does not redisplay historical data based on newly edited values.
· Deleting an appliance deletes its data. · If you are using overlays, note the following:
You can view each overlay's health individually. If you remove an individual overlay, its data is not recoverable. However, its historical data
remains included in All Overlays.
Alarms Tab
Monitoring > Summary > Alarms This tab displays the Alarms table, which provides details about both appliance and Orchestrator alarms.
Each entry in the Alarms table represents one current condition that could require human intervention. Because alarms are conditions, they can come and go without management involvement. While merely acknowledging most alarms does not clear them, some alarm conditions are set up to self-clear when you acknowledge them. For example, if you remove a hard disk drive, it generates an alarm; a er you replace it and it finishes rebuilding itself, the alarm clears. You can filter the alarms listed in the Alarms table.
· Time: h, hr, d, d, or Custom. Custom enables you to specify a range of dates in the Range fields.
· Active - All uncleared alarms. Acknowledged alarms go to the bottom of this list. · History - Filtered to show only cleared alarms. · All - All uncleared and cleared alarms. NOTE: Orchestrator keeps a history of alarms for days. The Alarms tab also includes the following functionality: · Alarm Emails ON and Alarm Emails Paused: You can enable or disable if you want to receive
an email if there is an alarm that is on or paused.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· Alarm Email Recipients: Each configured recipient can receive emails about either Appliance alarms or Orchestrator alarms. Click Add Recipient in the Alarm Recipients window. Select the appropriate type of alarm from the Alarm Type drop-down list, and then select the check boxes (Critical, Major, Minor, Warning) for which you want to receive emails. Click Save or Reload.
· Wait to Send Emails: You can customize the amount of time you want the system to wait to send you an email notifying you of an alarm. Click this button to open the Wait to Send Emails dialog box, and then enter the number of minutes you want the system to wait. Click Save.
· Export: You can export a CSV file of your alarms.
· Ack, Acked By, and Acked Time: These columns in the Alarms table indicate whether an acknowledgment has been received between devices.
Acked By: The name of the appliance that did the acknowledgment.
Acked Time: The time when the acknowledgment was received by the appliance.
D
A
You can specify which alarms you want to disable by clicking Customize / Disable Alarms, which opens the Alarm Information dialog box.
To disable alarms:
. Click Disable All Alarms on Specific Appliances. . Enter the name of the appliance that has the alarms you want disabled. . Click Disable Alarms. . Click Save.
C
A
Complete the following steps to customize a pre-existing alarm.
. Select the edit icon next to the selected appliance in the Alarm Information window.
. Choose Enable/Disable.
. If selecting Enable, specify the Custom Severity by choosing from the list: None, CRITICAL, MAJOR, MINOR, WARNING.
. If selecting Disable, the following message will display: *You are about to disable this alarm. Click Save.
AS
Orchestrator has four severity levels for alarms:
· Critical (red) Critical alarms are service-a ecting and require immediate attention. They reflect conditions that adversely a ect an appliance or indicate the loss of a broad category of service.
· Major (orange) While service-a ecting, major alarms are less severe than critical alarms. They reflect conditions that should be addressed in the next hours. An example would be an alarm caused by an unexpected tra ic class error.
· Minor (yellow) Minor alarms are not service-a ecting and can be addressed at any time. Examples include alarms caused by a user who has not changed their account's default password, a degraded disk, or a so ware version mismatch.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· Warning (blue) Warning alarms are not service-a ecting. They warn of conditions that could become problems over time--for example, an alarm caused by IP SLA being down.
AR
Complete the following to add alarm recipients to receive an email notifying you of an alarm within your network.
. Click Alarm Email Recipients. . Click Add Recipient. . Enter the following information in the correct fields.
· The Alarm Type is Orchestrator for Orchestrator alarms, and Appliance for appliancegenerated alarms.
· Groups display in a drop-down list, based on the groups configured in the navigation pane.
· By default, alarms are HTML Formatted. However, you can choose Plain Text or Both.
· Plain Text alarms are emailed as pipe-separated data. Users can create a script to parse the email and read the fields.
Example:
Hostname|Alarm_Status|Time|Alarm_ID|Type_ID|Source|Severity|Description|Recommended_action
Orchestrator| | set|
||
|orchestrator|MINOR|Backup configuration not
Orchestrator| | default SMTP settings
||
|orchestrator|MAJOR|Orchestrator is using the
· The Alarm ID is the auto-incremented, primary key in the database.
· Alarm Status: - Raised | - Cleared
A
AI
· A cumulative (Orchestrator + appliances) alarm summary always displays at the right side of the header. Clicking it opens a top-level summary and access to the Alarms tab.
· Appliances are color-coded to indicate their severest alarms on the Topology tab and in the navigation pane.
· Threshold crossing alerts are related to alarms. They are preemptive, user-configurable thresholds that declare a Major alarm when crossed. For more information about their configuration and use, see Threshold Crossing Alerts Template and Threshold Crossing Alerts Tab.
E
AD
Orchestrator enables you to export to a CSV file a full list of alarms you could potentially receive. This file includes a variety of details about the listed alarms, including alarm descriptions and recommended actions. For details, see Alarm Descriptions.
To automatically export the CSV file, navigate to Support > User Documentation > Alarm Descriptions.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
L
A
This topic provides lists of alarms related to EdgeConnect appliances and Orchestrator.
NOTE: The tables in this topic use the decimal numeral system for Alarm ID. You can convert these numbers to the hexadecimal numeral system if you have applications that can do their own filtering, such as SNMP.
EC
A
A
Appliances can raise alarms based on issues that occur with tunnels, so ware, equipment, and Threshold Crossing Alerts (TCAs). TCAs are visible on the appliance, but are managed by Orchestrator.
Tunnels
System Type (Appliance); Source Type (Tunnel)
Alarm ID: Severity
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
Alarm Text
Tunnel is down. Recommended Action: Tunnel peer is unreachable. Check tunnel configuration. Verify Local & Remote IPs, Admin up, and peer's Mode matches. Check network connectivity.
Tunnel protocol version mismatch. Recommended Action: Tunnel peers are running incompatible so ware versions. Normal during a so ware upgrade. Run the same or compatible so ware releases among the tunnel peers.
Tunnel peer type mismatch. [For VX-Xpress only] Recommended Action: VX-Xpress appliance can only peer with another VX-Xpress appliance. Create a tunnel to another VX-Xpress appliance.
Duplicate license detected. Recommended Action: Duplicate serial numbers detected. Install unique license on all virtual appliances. To check and/or change license:
Source Appliance Appliance
Appliance Appliance
Service A ecting TRUE
TRUE
TRUE
TRUE
Clearable TRUE TRUE
FALSE TRUE
In Appliance Manager: Administration > Basic Settings > License & Registration
In Orchestrator: Configuration > Overlays & Security > Licensing > Licenses
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Alarm ID: Severity
: CRITICAL
: CRITICAL
: MAJOR
: MAJOR
: MAJOR
: MINOR
Alarm Text
Tunnel has invalid source IP address. Recommended Action: Delete the tunnel and re-create it with a valid IP address.
Tunnel received an unmatched GRE packet. Recommended Action: Check for tunnel encapsulation mismatch. On Configuration > Tunnels page, go to specified tunnel and verify both tunnel peers are using the same encapsulation method.
Tunnel is misconfigured. Recommended Action: System ID is not valid. Was appliance registration completed?
Tunnel is in reduced functionality. Recommended Action: Tunnel peers are not running the same release of so ware. This results in reduced functionality. Run the same or compatible so ware releases among the tunnel peers.
Tunnel UDP port conflicts with cluster port. [Deprecated alarm] Recommended Action: Choose another number for UDP Destination Port on local and remote appliances if using the same interface for UDP tunnel and flow redirection.
Tunnel so ware version mismatch. Recommended Action: Tunnel peers are not running the same release of so ware, but the releases are completely compatible. Normal during an upgrade. Run the same so ware version to eliminate the alarm.
Source Appliance Appliance
Appliance Appliance
Appliance
Appliance
Service A ecting TRUE TRUE
TRUE TRUE
TRUE
TRUE
Clearable TRUE TRUE
TRUE TRUE
TRUE
TRUE
So ware System Type (Appliance); Source Type (So ware)
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Alarm ID: Severity
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
Alarm Text
The licensing for this virtual appliance has expired. [For VX series only] Recommended Action: Enter a new license key for the appliance.
Source Appliance
Service A ecting
TRUE
NOTE: The VX appliances are a family of virtual appliances, comprised of the VX-n so ware, an appropriately paired hypervisor and server, and a valid so ware license.
There is no license installed on this virtual appliance. [For VX series only] Recommended Action: Enter a valid license key for the appliance.
Appliance
TRUE
NOTE: The VX appliances are a family of virtual appliances, comprised of the VX-n so ware, an appropriately paired hypervisor and server, and a valid so ware license.
Invalid virtual appliance license. [For VX series only] Recommended Action: Enter a valid license key for the appliance.
So ware capability token expired. Recommended Action: Portal ( -day token) expired; no communication with Portal in days. You must have HTTPS connectivity to internet to renew the license lease.
Invalid account name and key. Recommended Action: Provide valid account registration information.
EC Base license not granted. Recommended Action: Contact Support to obtain additional EdgeConnect licenses. If you have licenses, approve this appliance from your Orchestrator.
Orchestrator is unreachable. Recommended Action: Appliance cannot connect to Orchestrator using HTTPS. This connectivity is required for Orchestrator to manage the appliance.
Appliance Appliance
Appliance Appliance
Appliance
TRUE TRUE
TRUE TRUE
TRUE
Clearable FALSE
FALSE
FALSE FALSE FALSE FALSE FALSE
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Alarm ID: Severity
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
: MAJOR
Alarm Text
Silver Peak Cloud Portal host name cannot be resolved. Recommended Action: Check if appliance has been configured with a reachable DNS server. If there is no DNS server configured, appliance tries to use built-in DNS servers on the Internet to resolve the portal hostname.
EC Plus license not granted. Recommended Action: Contact Support to obtain additional licenses.
EC Boost license not granted. Recommended Action: Contact Support to obtain additional licenses.
Appliance has not been approved by Orchestrator. Recommended Action: Approve the appliance from your Orchestrator.
So ware licensing error. Recommended Action: Failing to get token from Portal. Contact Support.
No public IP address detected on an interface behind Internet. [Deprecated alarm] Recommended Action: Connect the interface to Internet.
DHCP server misconfiguration. Recommended Action: DHCP server configuration contains invalid entry that prevented it from running. Check log file for error and verify your configuration.
Unable to resolve Orchestrator DNS name. Recommended Action: Could not resolve one or more Orchestrator DNS names. Check DNS server configuration.
Config DB load partially failed. Recommended Action: Check configuration and apply again.
So ware upgrade process has failed.
Source Appliance
Appliance Appliance Appliance Appliance Appliance Appliance
Appliance
Appliance Appliance
Service A ecting TRUE
TRUE TRUE TRUE TRUE TRUE
TRUE
TRUE
TRUE FALSE
Clearable FALSE
FALSE FALSE FALSE FALSE FALSE FALSE
TRUE
TRUE TRUE
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Alarm ID: Severity
: MAJOR
: MAJOR
: MAJOR
: MAJOR
: MAJOR
: MAJOR
: MAJOR
Alarm Text
System is low on resources. Recommended Action: The appliance is running low on resources (memory). If this alarm persists, contact Support.
Significant change in time of day has occurred, and might compromise statistics. Please contact TAC. [Deprecated alarm] Recommended Action: Appliance time changed. Appliance statistics could be missing for an extended interval. Contact Support.
A disk self-test has been performed. You must reboot the appliance a er the test has been completed. Recommended Action: Reboot the appliance. Tra ic will not be optimized until this is performed.
So ware license will expire in days. [For VX series only] Recommended Action: Enter new license key to avoid loss of optimization or potential tra ic disruption.
Dual wan-next-hop topology is no longer supported. Recommended Action: Reconfigure appliance as single bridge with one next hop, or as dual bridge with two IP addresses and two next hops.
Major inconsistency among tunnel tra ic class settings found during upgrade. [Deprecated alarm] Recommended Action: Review the WAN shaper tra ic class settings.
Tunnel IP header disable setting was discarded during upgrade. [Deprecated alarm] Recommended Action: Review the optimization map header compression settings.
Source Appliance Appliance
Appliance Appliance Appliance Appliance Appliance
Service A ecting TRUE FALSE
TRUE
FALSE TRUE
TRUE
TRUE
Clearable FALSE TRUE
FALSE FALSE TRUE TRUE TRUE
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Alarm ID: Severity
: MAJOR
: MAJOR
: MAJOR
: MAJOR
: MAJOR
: MAJOR
: MAJOR
Alarm Text
A peer name has been specified in the configuration matching no existing remote peer. Recommended Action: Correct route-map entry or build tunnel. A route policy peer hostname might have changed.
So ware license token needs to be renewed. Recommended Action: So ware will automatically renew the license lease as long as it has HTTPS connectivity to the internet.
Silver Peak Cloud Portal websocket is down. Recommended Action: Appliance cannot connect to Silver Peak portal using HTTPS Websockets.
Silver Peak Cloud Portal is unreachable for licensing. Recommended Action: Appliance cannot connect to the Cloud Portal using HTTPS Websockets. Verify the connectivity between the appliance and the portal. This connectivity is needed for licensing.
Subnet table is full. Recommended Action: Subnet table has reached its maximum allowable size. Additional subnets will not be added unless others are removed.
A BGP peer session is not in Established state. Recommended Action: A BGP peer session is Down. Verify BGP neighbor, ASN, or next hop IP address is configured correctly.
An OSPF neighbor session is no longer in Full or Two-Way state. Recommended Action: An OSPF neighbor session is Down. Verify whether OSPF neighbor connectivity still exists on this interface.
Source Appliance
Appliance Appliance Appliance
Appliance Appliance Appliance
Service A ecting TRUE
FALSE
FALSE TRUE
TRUE TRUE
TRUE
Clearable FALSE
TRUE TRUE FALSE
TRUE TRUE TRUE
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Alarm ID: Severity
: MAJOR
: MAJOR
: MAJOR
: MAJOR
: MAJOR
: MAJOR
: MINOR
: MINOR
: MINOR
Alarm Text
DHCP server failover my state communications interrupted. Recommended Action: DHCP server failover my state communications interrupted. Check for partner reachablity and verify your configuration.
Excessive route advertisement updates detected. Recommended Action: Verify proper configuration or route filtering of the route indicated.
EC Feature License not granted. Recommended Action: Contact Support.
ACL Groups File Handling Failed. Recommended Action: Check if valid IP/Port are used for configuration .If issue persists, contact Support with support logs.
ACL Groups Config Memory Limit Exceeded. Recommended Action: To free up memory, reduce the group name lengths used in the Address/Service groups configuration and try again.
ACL rule has invalid syntax. Recommended Action: Check ACL rules syntax and apply again.
Performance is limited by max Boost bandwidth. Recommended Action: Recommend subscribing to more Boost bandwidth.
Subnet table reached High water mark. Recommended Action: Subnet table has reached its maximum level for adding BGP/OSPF-learned routes. Only local subnets added beyond this number.
Secure shell challenge-response succeeded. Recommended Action: Secure shell authentication succeeded. No action required if authorized personnel are trying to access secure shell.
Source Appliance
Appliance Appliance Appliance Appliance
Appliance Appliance Appliance
Appliance
Service A ecting TRUE
TRUE TRUE FALSE FALSE
TRUE FALSE TRUE
TRUE
Clearable TRUE
TRUE FALSE TRUE TRUE
TRUE TRUE TRUE
TRUE
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Alarm ID: Severity
: MINOR
: MINOR
: MINOR
: WARNING
: WARNING
: WARNING
: WARNING
: WARNING
: WARNING
Alarm Text
Secure shell challenge-response failed. Recommended Action: Secure shell authentication failed. Verify if authorized personnel are trying to access secure shell.
DSCP label is unassigned. Recommended Action: Label is not assigned to interface.
Peer interface admin or oper or nh reachability is down. Recommended Action: Peer interface admin or operational or next hop reachability status changed.
The SSL private key is invalid. Recommended Action: The key is not an RSA standard key that meets the minimum requirement of bits. Regenerate a key that meets this minimum requirement.
The SSL certificate is not yet valid. Recommended Action: The SSL certificate has a future start date. It will correct itself when the future date becomes current. Otherwise, install a certificate that is current.
The SSL certificate has expired. Recommended Action: Reinstall a valid SSL certificate that is current.
The NTP server is unreachable. Recommended Action: Check the appliance's NTP server IP and version configuration. Can appliance reach the NTP server? Is UDP port open between the appliance's mgmt IP and the NTP server?
So ware license will expire in days. [For VX series only] Recommended Action: Enter a new license key to avoid loss of optimization or potential tra ic disruption.
Setting default system wan-next-hop to VLAN next-hop no longer necessary. [Deprecated alarm] Recommended Action: Use the VLAN IP address as tunnel source endpoints instead of bvi .
Source Appliance Appliance Appliance Appliance
Appliance
Appliance Appliance
Appliance Appliance
Service A ecting TRUE TRUE TRUE TRUE
TRUE
TRUE TRUE
FALSE FALSE
Clearable TRUE TRUE TRUE FALSE
FALSE
FALSE FALSE
TRUE TRUE
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Alarm ID: Severity
: WARNING
: WARNING
: WARNING
: WARNING
: WARNING
: WARNING
: WARNING
: WARNING
: WARNING
Alarm Text
Minor inconsistency among tunnel tra ic class settings found during upgrade. [Deprecated alarm] Recommended Action: Review the WAN shaper tra ic class settings.
A very large range has been configured for a local subnet. Recommended Action: Confirm that you intended to configure such a large local subnet (/ or larger).
Interface shaper max bandwidth exceeds system max bandwidth. Recommended Action: Review the interface shaper max bandwidth settings. Make sure it does not exceed system max bandwidth.
Silver Peak Cloud Portal is unreachable. Recommended Action: Appliance cannot connect to the Cloud Portal using HTTPS. This connectivity is needed for internet applications classification.
SaaS application is no longer supported. Recommended Action: SaaS application is no longer supported.
Admin password is not yet changed. Recommended Action: Change admin password.
Built-in CA certificate was invalid and it has been deleted internally. Recommended Action: Built-in CA Certificate is invalid, and a new one has been auto-generated. Install the built-in CA certificate on clients as needed.
CA Bundle was invalid and it has been deleted internally. Recommended Action: CA Certificate Bundle is invalid and will be fixed automatically by portal in a couple of hours, or contact Support.
An IP SLA monitor is in the Down state. Recommended Action: An IP SLA monitor has reported Down status. Check and correct the source of the failure.
Source Appliance
Appliance Appliance
Appliance
Appliance Appliance Appliance
Appliance
Appliance
Service A ecting FALSE
FALSE TRUE
FALSE
FALSE FALSE FALSE
FALSE
TRUE
Clearable TRUE
TRUE TRUE
TRUE
TRUE TRUE TRUE
TRUE
TRUE
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Alarm ID: Severity
: WARNING
: WARNING
: WARNING
: WARNING
: WARNING
: WARNING
: WARNING
Alarm Text
DNS proxy process is in Down state. Recommended Action: DNS proxy is in down state.
EC Licensing Warning. Recommended Action: Check your EC license.
An IP SLA monitor is not installed. Recommended Action: An IP SLA monitor is not installed. Check and fix the source of the failure.
CPU utilization threshold exceeded. Recommended Action: CPU utilization reached almost %. Ignore if it is intended. Otherwise, take action to reduce CPU utilization.
Stats collection slow or incomplete. Recommended Action: In Orchestrator, go to Orchestrator > So ware & Setup > Setup > Stats Collector Configuration and look for the following issues: . Stats collection paused due to low disk space. . Stats collection failing because the Stats Collector is unreachable. . Too many appliances assigned to a single Stats Collector.
Unable to resolve Stats Collector DNS name. Recommended Action: Could not resolve Stats Collector DNS name. Check DNS server configuration.
Stats Collector is unreachable. Recommended Action: Appliance cannot connect to Stats Collector using HTTPS. This connectivity is required for Appliance to upload stats.
Source Appliance Appliance Appliance Appliance Appliance
Appliance Appliance
Service A ecting TRUE FALSE TRUE TRUE FALSE
FALSE FALSE
Clearable TRUE TRUE TRUE TRUE TRUE
TRUE TRUE
Equipment System Type (Appliance); Source Type (Equipment)
Alarm ID: Severity
: CRITICAL
Alarm Text
RAID array is degraded. [Deprecated alarm]
Source Appliance
Service A ecting
FALSE
Clearable TRUE
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Alarm ID: Severity
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
Alarm Text
Fan failure detected. Recommended Action: Fan failure. Use the self-service RMA tool on the Silver Peak Support Portal to RMA the failed device.
System bypass mode. Recommended Action: Normal with factory default configuration, during reboot, and if user has put the appliance in bypass mode. Check the system bypass configuration.
LAN/WAN fail-to-wire card failure. Recommended Action: Fail-to-wire card failure. Use the self-service RMA tool on the Silver Peak Support Portal to RMA the failed device.
LAN/WAN fail-to-wire card relay failure.
Source Appliance Appliance
Appliance Appliance
Service A ecting FALSE
FALSE
FALSE
FALSE
Encryption card hardware failure. [Deprecated alarm] Recommended Action: Disk encryption card failure. Use the self-service RMA tool on the Silver Peak Support Portal to RMA the failed device.
NIC failure. Recommended Action: Network interface card failure. Use the self-service RMA tool on the Silver Peak Support Portal to RMA the failed device.
Insu icient configured memory size for this virtual appliance. [For VX series only] Recommended Action: Assign more memory to the virtual machine and restart the appliance. Tra ic will not be optimized until this is resolved.
Insu icient configured processor count for this virtual appliance. [For VX series only] Recommended Action: Assign more processors to the virtual machine and restart the appliance. Tra ic will not be optimized until this is resolved.
Appliance Appliance Appliance Appliance
FALSE FALSE TRUE TRUE
Clearable FALSE FALSE
FALSE FALSE FALSE
FALSE FALSE
FALSE
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Alarm ID: Severity
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
: MAJOR
: MAJOR
: MAJOR
: MAJOR
: MAJOR
: MAJOR
Alarm Text
Insu icient configured disk storage for this virtual appliance. [For VX series only] Recommended Action: Assign more storage to the virtual machine and restart the appliance. Tra ic will not be optimized until this is resolved.
Bridge loop is detected. Recommended Action: Make sure bridge ports are connected to di erent virtual switches and restart the appliance. Tra ic will not be optimized until this is resolved.
Network interface is unassigned. Recommended Action: Assign the network interface to an existing MAC address, and then restart the appliance. Or, if the network interface is not being used, then set its admin state to down.
Bridge creation failed. Recommended Action: Check log messages for more details on the failure.
Disk is failed. Recommended Action: Disk failure. Use the self-service RMA tool on the Silver Peak Support Portal to RMA the failed hard disk drive.
Network interface link down. Recommended Action: Is the system in bypass mode? Check cables and interface admin status on the router.
Management interface link down. Recommended Action: Check cables and interface admin status on the router.
Interface is half duplex. Recommended Action: Check speed/duplex settings on the router/switch port.
Interface speed is Mbps. Recommended Action: Check speed/duplex settings. Use a / Mbps port on the router/switch.
Config DB disk full. [Deprecated alarm]
Source Appliance
Appliance
Appliance
Appliance Appliance Appliance Appliance Appliance Appliance Appliance
Service A ecting TRUE
TRUE
TRUE
TRUE FALSE TRUE TRUE TRUE TRUE TRUE
Clearable FALSE
FALSE
FALSE
FALSE FALSE TRUE TRUE TRUE TRUE FALSE
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Alarm ID: Severity
: MAJOR
: MAJOR
: MAJOR
: MAJOR
: MAJOR
: MAJOR
Alarm Text
Operating System disk full. [Deprecated alarm] File System disk full. [Deprecated alarm] Datapath internal loopback test failed. [Deprecated alarm] WAN Next-hop unreachable. Recommended Action:
Check cables on EdgeConnect appliance and router.
Check IP/mask on EdgeConnect appliance and router. Next hop should be only a single IP hop away.
To troubleshoot, use: show cdp neighbor, show arp, and
ping -I <appliance IP> <next-hop IP>
Packets are sent with ttl= , so ensure next hop IP has no intermediate routers.
NOTE: If there is either a LAN Next-Hop Unreachable or WAN Next-Hop Unreachable alarm, resolve the alarm(s) immediately by configuring the gateway(s) to respond to ICMP pings from the EdgeConnect appliance IP Address. VRRP instance is down. Recommended Action: Check the interface. Is the link down? WAN next-hop router discovered on a LAN port (box is in backwards). Recommended Action:
Check WAN next hop IP address.
Check lan and wan cabling (in-line mode only).
If not resolved, contact Support.
Source Appliance Appliance Appliance Appliance
Appliance Appliance
Service A ecting TRUE TRUE TRUE TRUE
TRUE TRUE
Clearable FALSE FALSE FALSE FALSE
TRUE FALSE
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Alarm ID: Severity
: MAJOR
: MAJOR
: MAJOR
: MAJOR
: MAJOR
: MAJOR
: MAJOR
Alarm Text
Disk is not-in-service. Recommended Action: Check if the disks are properly seated. Contact Support for further assistance.
Disk has been removed by operator. Recommended Action: Normal during disk replacement. Insert the disk using Appliance Manager or Orchestrator. Contact Support if insertion fails.
LAN/WAN interfaces have di erent admin states. [For Bridge mode only] Recommended Action: Check interface admin configuration (lan -wan , lan -wan ). Applicable only to in-line mode.
LAN/WAN interfaces have di erent link carrier states. [For Bridge mode only] Recommended Action: Check interface configured speed settings and current values (lan /wan , lan /wan ). Applicable only to in-line mode.
LAN/WAN interface has been shut down due to link propagation of paired interface. [For Bridge mode only] Recommended Action: Check cables and connectivity. For example, if lan is shut down, check why wan is down. Applicable only to in-line mode.
Flow redirection cluster peer is down. [For Boost only] Recommended Action: Check Flow Redirection configuration on all applicable appliances and check L /L connectivity between the peers. Open TCP and UDP ports between the cluster peer IPs if they are blocked.
Bonding members have di erent speed/duplex. Recommended Action: Check interface speed/duplex settings and negotiated values on wan /wan and lan /lan ether-channel groups.
Source Appliance Appliance Appliance Appliance Appliance
Appliance
Appliance
Service A ecting FALSE FALSE TRUE
TRUE
TRUE
TRUE
TRUE
Clearable FALSE FALSE TRUE TRUE TRUE
FALSE
TRUE
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Alarm ID: Severity
: MAJOR
: MAJOR
: MAJOR
: MAJOR
: MAJOR
: MAJOR
Alarm Text
WCCP adjacency(ies) down. Recommended Action: Cannot establish WCCP neighbor. Check WCCP configuration on appliance and router. Verify reachability. Enable debugging on router: debug ip wccp packet
WCCP assignment table mismatch. Recommended Action: Check WCCP mask/hash assignment configuration on all EdgeConnect appliances and ensure that they match.
Power supply not connected, not powered, or failed. [EC-M, EC-L, and EC-XL only (dual supplies)] Recommended Action: Connect to a power outlet. Check power cable connectivity.
LAN next-hop unreachable. Recommended Action: Check Appliance configuration: LAN side next hop IP, Appliance IP/Mask, VLAN IP/mask, and VLAN ID.
NOTE: If there is either a LAN Next-Hop Unreachable or WAN Next-Hop Unreachable alarm, resolve the alarm(s) immediately by configuring the gateway(s) to respond to ICMP pings from the EdgeConnect appliance IP Address.
Unexpected system restart. Recommended Action: The appliance rebooted unexpectedly. Power issues? Was the appliance shut down ungracefully? Contact Support if the shutdown was not planned.
Interfaces have di erent MTUs. [For Bridge mode only: lan /wan ] Recommended Action: Check interface MTU settings on lan /wan (pairwise) on dual bridge mode and lan /lan /wan /wan . . . on single bridge mode.
Source Appliance Appliance Appliance Appliance
Appliance Appliance
Service A ecting TRUE TRUE FALSE
TRUE
FALSE TRUE
Clearable TRUE TRUE FALSE FALSE
TRUE TRUE
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Alarm ID: Severity
: MAJOR
: MAJOR
: MAJOR
: MINOR
: MINOR
: MINOR
: MINOR
: MINOR
: MINOR
Alarm Text
Interfaces have di erent MTUs. [For Bridge mode only: lan /wan ] Recommended Action: Check interface MTU settings on lan /wan or tlan /twan interfaces.
System optimization disabled. [Deprecated alarm] Recommended Action: Turn on system optimization.
HASync peer is down. Recommended Action: Check HA link connectivity.
Disk is degraded. Recommended Action: Wait for disk to recover. If it does not recover, contact Support.
Disk is rebuilding. Recommended Action: Normal. Wait for the disk to rebuild. If it does not rebuild, contact Support.
Disk SMART threshold exceeded. Recommended Action: Disk failure. Use the self-service RMA tool on the Silver Peak Support Portal to RMA the failed hard disk drive.
Non-optimal configured memory size for this virtual appliance. [For VX series only] Recommended Action: Assign more memory to the virtual machine and restart the appliance. Tra ic will be sub-optimal until this is resolved.
Non-optimal configured processor count for this virtual appliance. [For VX series only] Recommended Action: Assign more processors to the virtual machine and restart the appliance. Tra ic will be sub-optimal until this is resolved.
Non-optimal configured disk storage for this virtual appliance. [For VX series only] Recommended Action: Assign more storage to the virtual machine and restart the appliance. Tra ic will be sub-optimal until this is resolved.
Source Appliance Appliance Appliance Appliance Appliance Appliance Appliance
Appliance
Appliance
Service A ecting TRUE TRUE TRUE FALSE FALSE FALSE TRUE
TRUE
TRUE
Clearable TRUE FALSE FALSE FALSE FALSE TRUE TRUE
TRUE
TRUE
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Alarm ID: Severity
: WARNING
: WARNING
Alarm Text
Network interface admin down. Recommended Action: Check your interface configuration.
VRRP state changed from Master to Backup. Recommended Action: VRRP state has changed from Master to Backup. Check VRRP Master for uptime and connectivity.
Source Appliance
Appliance
Service A ecting TRUE
TRUE
Clearable TRUE
TRUE
Threshold Crossing Alerts System Type (Appliance); Source Type (Threshold Crossing Alerts)
Alarm ID: Severity
: WARNING
: WARNING
: WARNING
: WARNING
: WARNING
Alarm Text
WAN Tx throughput threshold exceeded. Recommended Action: User configured. Check bandwidth reports for tunnel bandwidth.
LAN Rx throughput threshold exceeded. [LAN Rx outbound] Recommended Action: User configured. Check bandwidth reports.
Optimized flows count threshold exceeded. Recommended Action: User configured. Check flow and real-time connection reports.
Total flows count threshold exceeded. Recommended Action: User configured. Check flow and real-time connection reports.
File system utilization threshold exceeded. Recommended Action: Disk is almost full. Under Support > Debug files, delete the old tcpdumps, snapshots sysdumps, and show-tech files.
Source Appliance
Appliance Appliance
Appliance Appliance
Service A ecting FALSE
FALSE FALSE
FALSE FALSE
Clearable TRUE
TRUE TRUE
TRUE TRUE
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Alarm ID: Severity
: WARNING
: WARNING
: WARNING
: WARNING
Alarm Text
Latency threshold exceeded. Recommended Action: User Configured. Check Latency reports. If latency is too high, check routing between the appliances and QoS policy on upstream routers. Check tunnel DSCP marking. If latency persists, contact Internet Service Provider (ISP) and Support.
Pre-FEC loss threshold exceeded. Recommended Action: User configured. Check Loss Reports. Check for loss between EdgeConnect appliances (interface counters on upstream routers). Use network bandwidth measurement tools, such as iperf, to measure loss. Contact Internet Service Provider (ISP).
Post-FEC loss threshold exceeded. Recommended Action: User configured. Check Loss Reports. Check for loss between EdgeConnect appliances (interface counters on upstream routers). Use network bandwidth measurement tools, such as iperf, to measure loss. Enable/Adjust Silver Peak Forward Error Correction (FEC). Contact ISP (Internet Service Provider).
Out of order packets threshold exceeded. Recommended Action: User configured. Check Out-of-Order Packets Reports. Normal in a network with multiple paths and di erent QoS queues. Normal in a dual-homed router or four port in-line configuration. Contact Support if out-of-order packets are not % corrected.
Source Appliance Appliance Appliance
Appliance
Service A ecting FALSE
FALSE
FALSE
FALSE
Clearable TRUE TRUE TRUE
TRUE
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Alarm ID: Severity
: WARNING
: WARNING
: WARNING
: WARNING
Alarm Text
Corrected out of order packets threshold exceeded. Recommended Action: User configured. Check Out-of-Order Packets Reports. Normal in a network with multiple paths and di erent QoS queues. Normal in a dual-homed router or four port in-line configuration. Contact Support if out-of-order packets are not % corrected.
Bandwidth utilization threshold exceeded. Recommended Action: User configured. Check bandwidth reports for tunnel bandwidth utilization.
Low reduction threshold exceeded.[For Boost] Recommended Action: User configured. Check bandwidth reports for dedupe. Check if the tra ic is pre-compressed or encrypted.
Appliance flow limit threshold exceeded. Recommended Action: If this condition persists, a larger appliance will be necessary to fully optimize all flows.
Source Appliance
Appliance Appliance Appliance
Service A ecting FALSE
FALSE FALSE
FALSE
Clearable TRUE
TRUE TRUE TRUE
O
A
Orchestrator can raise alarms based on issues with tunnels, so ware, and equipment. Tunnels
System Type (Orchestrator); Source Type (Tunnel)
Alarm ID: Severity
: CRITICAL
Alarm Text
Interfaces with duplicate IP exists: { }. Recommended Action: No overlays will be applied to appliances with duplicate IP address.
Source
/orchestrator/ interfaces
Service A ecting
TRUE
Clearable FALSE
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
Alarm ID: Severity
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
Alarm Text
Interfaces with no public IP exists: { }. Recommended Action: No overlays will be applied to appliances with duplicate IP address.
Failed to apply overlays. Recommended Action: No overlays will be applied to appliances with duplicate IP address.
ACL used in an overlay is not defined on the appliance. acl name: { } overlay name: { }. Recommended Action: ACLs can be created on the appliance by applying ACL templates.
Interfaces with duplicate wan label exists: { }. Recommended Action: Assign unique labels to all WAN interfaces. No overlays will be applied to appliances with duplicate WAN labels.
Interfaces with duplicate public IP exists: { }. Recommended Action: No overlays will be applied to appliances with duplicate IP addresses.
Failed to apply tunnel group. Recommended Action: Refer to the Audit logs for more details.
Interface has bad IP address: { }. Recommended Action: No overlay tunnels will be built using this interface.
Cannot build tunnel with src IP { } and dest IP { }. IP versions mismatch. Recommended Action: Make sure the tunnel source and destination IP address are both ipv or are both ipv addresses.
Failed to apply labels. Recommended Action: Refer to the Audit logs for more details.
Source /orchestrator/ interfaces
/orchestrator/ orchestration/ overlays
/orchestrator/ orchestration/ overlays
/orchestrator/ interfaces
/orchestrator/ interfaces
/orchestrator/ orchestration/ tunnelgroups /orchestrator/ interfaces
/orchestrator/ orchestration/ tunnels
/orchestrator/ orchestration
January ,
Service A ecting
TRUE
Clearable FALSE
TRUE
FALSE
TRUE
FALSE
TRUE
FALSE
TRUE
FALSE
TRUE TRUE
FALSE FALSE
TRUE
TRUE
TRUE
FALSE
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
Alarm ID: Severity
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
Alarm Text
Failed to apply internal subnets. Recommended Action: Refer to the Audit logs for more details.
Failed to apply application classification data to appliance. Recommended Action: Make sure the appliance can connect to Orchestrator. Refer to the Audit logs for more details.
Appliance has the same IPSec UDP port as the other HA peer overlays will not be applied to this appliance. HA Peer: { }. Recommended Action: You can change the IPSec UDP Port of an appliance by editing the System Information from the System Information tab.
Both Overlay Manager and Tunnel Group manager are ENABLED.
Recomm ended Action: You can enable one or the other. Turn one of them OFF.
Overlay { } has no hub defined. No tunnels will be built between appliances that are part of this overlay. Recommended Action: To add a Hub to an Overlay, either ( ) apply the Overlay to a Hub appliance or ( ) go to the Hubs tab and make an appliance that is currently in the Overlay a Hub.
Overlay { } has no WAN ports defined. No tunnels will be built between appliance that are part of this overlay. Recommended Action: At least WAN port needs to be defined in an overlay.
Source /orchestrator/ orchestration /orchestrator/ orchestration/ applications
/orchestrator/ orchestration/ tunnels/ha
/orchestration
/orchestration/ overlays
/orchestration/ overlays
January ,
Service A ecting
TRUE
Clearable FALSE
TRUE
FALSE
TRUE
FALSE
TRUE
FALSE
TRUE
FALSE
TRUE
FALSE
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
Alarm ID: Severity
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
Alarm Text
Tunnel Group { } has no hub defined. No tunnels will be built between appliances that are part of this tunnel group. Recommended Action: To add a Hub to a Tunnel Group, either ( ) apply the Tunnel Group to a Hub appliance or ( ) go to the Hubs tab and make an appliance that is currently in the Tunnel Group a Hub.
Tunnel Group { } has no interfaces defined. No tunnels will be built between appliances that are part of this tunnel group. Recommended Action: Go to Tunnel Groups to configure interfaces.
Failed to apply templates. Recommended Action: One or more templates failed to apply. Refer to the Audit Logs for more details.
Failed to apply port forwarding rules to appliance. Recommended Action: Make sure appliance can connect to Orchestrator. Refer to the Audit logs for more details.
Overlay { } is using local breakout without any interfaces selected. Recommended Action: Go to Business Intent Overlays to configure local break out interface.
Maximum number of tunnels exceeded. { }. Recommended Action: Configure Overlays to create fewer tunnels.
At least one region is missing a hub appliance. Recommended Action: To add a Hub to an Overlay, either ( ) apply the Overlay to a Hub appliance or ( ) go to the Hubs tab and make an appliance that is currently in the Overlay a Hub.
Source /orchestration/ tunnelgroups
/orchestration/ tunnelgroups
/orchestrator/ orchestration/ templates
/orchestrator/ orchestration
/orchestration/ overlays
/orchestrator/ orchestration/ tunnels /orchestration/ overlays
January ,
Service A ecting
TRUE
Clearable FALSE
TRUE
FALSE
TRUE
FALSE
TRUE
FALSE
TRUE
FALSE
FALSE
FALSE
TRUE
FALSE
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
Alarm ID: Severity
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
Alarm Text
Appliance has a duplicate hostname with another appliance in the network. No overlays will be built to this appliance. Recommended Action: Change the hostname of one of the appliances.
Orchestration failed. { }. Recommended Action: Go to the Audit Logs for more details.
Duplicate IPSec UDP Port { } detected on the following appliances [{ }] that belong to site "{ }". Appliances sharing the same site name must have unique IPSec UDP port numbers. Orchestration for these appliances will be suspended until this is addressed. Recommended Action: You can change the IPSec UDP Port of an appliance on the System Information tab.
Failed to apply tra ic behavior data to appliance. Recommended Action: Make sure appliance can connect to Orchestrator. Refer to the Audit logs for more details.
Appliance does not have geo location information. Zscaler ZENs cannot be auto discovered. Recommended Action: Update appliance location in Configuration Wizard.
Only IPSec UDP tunnel mode is supported on Edge HA devices. Recommended Action: Check Tunnel Settings.
Edge HA peer { } has tunnels with source port { }. Orchestration will be skipped for this appliance until the conflicting tunnels are deleted. Recommended Action: Wait for the conflicting tunnels to tear down.
Source /orchestrator/ orchestration/ tunnels
/orchestrator/ orchestration /orchestrator/ orchestration/ tunnels
/orchestrator/ orchestration
/orchestrator/ orchestration/ zscaler
/orchestration
/orchestrator/ orchestration/ tunnels
January ,
Service A ecting
FALSE
Clearable FALSE
TRUE TRUE
FALSE FALSE
TRUE
FALSE
TRUE
FALSE
TRUE
TRUE
TRUE
FALSE
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
Alarm ID: Severity
: CRITICAL
: CRITICAL
: MAJOR
: MINOR
: MINOR
Alarm Text
This appliance and appliances [{ }] have been manually configured with same IPSec UDP port { }. Orchestration will be paused on all the conflicting appliances until unique ports are assigned to the appliance. Recommended Action: You can change the IPSec UDP Port of an appliance on the System Information tab.
{ } exceeded threshold { } by { }% ({ }) at { }. Recommended Action: Check internal LAN.
Failed to create/update Check Point CloudGuard site: { }.
Appliance does not have any wan labels required for an overlay. No tunnels will be built on this appliance for the overlay. Overlay name: { } wan labels: { }. Recommended Action: Assign at least one wan label selected for this overlay in the deployment configuration of the appliance.
Appliance missing lan label { } for tra ic access policy of overlay. No tra ic on this appliance will be routed to the overlay. Overlay name: { }. Recommended Action: Assign a lan port the required lan label selected for this overlay in the deployment configuration of the appliance. If this appliance is in server mode, you should use an ACL instead of selecting a lan label in the overlay configuration.
Source /orchestrator/ orchestration/ tunnels
/orchestrator/ internaldrops
/orchestrator/ integration/ checkPoint /orchestrator/ orchestration/ overlays
/orchestrator/ orchestration/ overlays
January ,
Service A ecting
TRUE
Clearable FALSE
FALSE
TRUE
FALSE TRUE
TRUE TRUE
TRUE
TRUE
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
Alarm ID: Severity
: WARNING
: WARNING
: WARNING
: WARNING
: WARNING
Alarm Text
Mesh Overlay - { } has no hub defined. No tunnels will be built for Hub & Spoke Interface label { } for this overlay. Recommended Action: To add a Hub to an Overlay, either ( ) apply the Overlay to a Hub appliance or ( ) go to the Hubs tab and make an appliance that is currently in the Overlay a Hub.
Mesh Tunnel Group - { } has no hub defined. No tunnels will be built for Hub & Spoke Interface label { } for this group. Recommended Action: To add a Hub to a Tunnel Group, either ( ) apply the Tunnel Group to a Hub appliance or ( ) go to the Hubs tab and make an appliance that is currently in the Tunnel Group a Hub.
Appliance does not have public IP for wan label { } auto discovered Zscaler ZENs may not be correct. Recommended Action: In the Deployment page, toggle the Not Behind NAT flag to NAT, or create a ZEN Override on the Zscaler tab.
At least one hub is not part of any overlay. Recommended Action: To add a Hub to an Overlay, either ( ) apply the Overlay to a Hub appliance or ( ) go to the Hubs tab and make an appliance that is currently in the Overlay a Hub.
At least one appliance is associated with a region and regional routing is currently disabled. Recommended Action: If regional routing is desired and has been authorized, go to Regional Routing and enable the feature.
Source /orchestration/ overlays
/orchestration/ tunnelgroups
/orchestrator/ orchestration zscaler
/orchestration/ overlays
/orchestration
January ,
Service A ecting
TRUE
Clearable FALSE
TRUE
FALSE
FALSE
FALSE
TRUE
FALSE
TRUE
TRUE
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Alarm ID: Severity
: WARNING
: WARNING
: WARNING
Alarm Text
{ } is only supported on inline router deployment mode appliances. Recommended Action: Choose "Deployment > Router" mode.
Regional routing is enabled but { } not associated with any region, so no tunnel will be built. Recommended Action: Associate the appliance with a region or disable regional routing.
{ } Appliance { } Bandwidth for { } interface is below min threshold. Recommended Action: In Deployment page, update Inbound/outbound interface Bandwidth to be above the minimum Bandwidth (Orchestrator > Advanced Properties > interfaceBandwidthCheckPer TunnelOverhead).
Source /orchestrator
Service A ecting
FALSE
/orchestration
TRUE
/orchestrator/
TRUE
interfaceBandwidth
Clearable TRUE TRUE
FALSE
So ware System Type
(Orchestrator); Source Type (So ware)
Alarm ID: Severity
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
Alarm Text
Orchestrator detected possible cloned appliances - cloned: { } clone: { }. Appliance backup failed: { }.
Appliances with the same serial numbers exist: { }. Recommended Action: If your appliances have duplicate serial numbers you may have applied the same license key on the appliances. They may also be cloned appliances if they are cloned. Contact Support for the correct steps on cloning appliances. Orchestrator cannot reach this appliance.
Source /orchestrator/ discovery/clone /orchestrator/ system/backup /orchestrator/ system
/orchestrator/ connectivity
Service A ecting
FALSE
Clearable TRUE
FALSE TRUE
TRUE TRUE
TRUE
TRUE
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
Alarm ID: Severity
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
Alarm Text
Appliance version not supported: { }.
Appliance is configured with labels to build IPSec UDP tunnels, but the appliance version does not support IPSec UDP tunnels. Recommended Action: You can change the tunnel modes for labels in the Overlay Manager Settings.
Orchestrator requires a validated portal account name and key (or for NX/VX/VRX, a valid license key). Recommended Action: Go to Licensing to provide the required information.
Orchestrator portal account or license expired on { date}. Recommended Action: Go to Licensing to provide the required information.
Orchestrator cannot connect to Silver Peak portal using HTTPS. Recommended Action: Check portal connection and refer to the Audit Logs for more information.
Orchestrator cannot register with Silver Peak portal using credentials provided. Recommended Action: Go to Licensing to provide the required information.
CPX license expired on { date}. [Deprecated alarm] Recommended Action: Renew your license to avoid service interruption.
Your EdgeConnect account expired on { date}. EdgeConnect devices in your network will stop passing tra ic. Recommended Action: Renew your license to avoid service interruption.
Source /orchestrator/ system /orchestrator/ orchestration/ tunnels
/license
/license
/portal connectivity
/portal registration
/portal/license/ cpx
/portal/license/ ec
Aruba EdgeConnect SD-WAN Edge Platform
January ,
Service A ecting
TRUE
Clearable TRUE
TRUE
FALSE
TRUE
FALSE
TRUE
FALSE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
Using Aruba Orchestrator - . .
Alarm ID: Severity
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
Alarm Text
SaaS license expired on { date}. Recommended Action: Renew your license to avoid service interruption.
Discovered appliances list contains cloned appliances. Clones: { }. Recommended Action: Contact Support for information on how to correctly clone appliances.
Orchestrator backup failed. Recommended Action: Go to Historical Jobs for details.
Orchestrator failed to get update from portal for application definition data. Recommended Action: Check portal connection and refer to the Audit Logs for more information.
Orchestrator failed to get update from portal for tra ic behavior data. Recommended Action: Check portal connection and refer to the Audit Logs for more information.
Orchestrator is not registered with Silver Peak portal. Recommended Action: Use your previous Orchestrator to approve this one. If you do not have another Orchestrator, contact Support for assistance.
Failed to connect to Zscaler. Recommended Action: Check Zscaler subscription.
Your Orchestrator service will expire on { date}.
Recommended Action: Contact the Silver Peak Sales team to order an extension.
Source /portal/license/ saas /discovery/clone
/system/backup /orchestration/ applications
/orchestration/ applications
/portal/ registration
/orchestration /portal/license/ cloudorch
January ,
Service A ecting
TRUE
Clearable TRUE
FALSE
TRUE
FALSE
TRUE
FALSE
TRUE
FALSE
TRUE
TRUE
TRUE
TRUE
TRUE
FALSE
TRUE
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
Alarm ID: Severity
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
Alarm Text
Your EdgeConnect Boost expired on { date}. EdgeConnect devices in your network will stop using boost. Recommended Action: Renew your boost license to avoid service interruption.
Failed to connect to Check Point CloudGuard Connect Service. { }. Recommended Action: Check Check Point CloudGuard Connect subscription parameters.
Cannot get Azure data. Details : { }. Recommended Action: Check Azure subscription. Go to the Audit Logs for more details.
Cannot download Azure configuration. Details : { }. Recommended Action: Check Azure subscription.
Cannot create IPSEC Tunnels for Azure VPN Site - { } for appliance { } and label { }.
Recommended Action: Associate Hub to Azure VPN Site using Azure Portal. If Hub is already associated, wait for deployment to complete to start Azure Orchestration.
Cannot Orchestrate association to Azure VWan. Recommended Action: Use VTI IP Pool Dialog to configure the subnet pool.
Cannot connect to Azure. Details : { }. Recommended Action: Check Azure subscription. Go to the Audit Logs for more details.
Source /portal/license/ ec
/orchestration/ checkPoint
/orchestration/ azure
/orchestration/ azure /orchestrator/ orchestration/ azure
/orchestration/ azure
/orchestration/ azure
January ,
Service A ecting
TRUE
Clearable TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Alarm ID: Severity
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
Alarm Text
Appliance was manually added to Orchestrator.
Recommended Action: Remove the appliance from Orchestrator, discover and approve it.
Custom bonding policy or secondary WAN interface configured in overlay but appliance does not support this feature. Recommended Action: Check overlay configuration or upgrade appliance.
Invalid IPSec UDP Key Material lifetime. Lifetime must be greater than rotation period. Recommended Action: Change IPSec UDP Key Material lifetime.
Cannot connect to AWS. Details : { }. Recommended Action: Check AWS subscription. Go to the Audit Logs for more details.
Cannot Orchestrate association to AWS Transit Gateway. Recommended Action: Use AWS VTI Subnet Pool Dialog to configure the subnet pool.
Azure VWAN has duplicate ASN in the network. Details : { }. Recommended Action: Use Azure Portal to assign unique ASNs to the VPN Sites.
Orchestrator cannot register with Silver Peak Cloud Portal.
Recommended Action: Contact Support.
Routing Segmentation is only supported in inline-router mode. Recommended Action: Check the deployment mode.
Source /orchestrator/ system
/orchestrator/ orchestration/ overlays
/ikeless
/orchestration/ awstgnm
/orchestration/ awstgnm
/orchestration/ azure
/portal/registration
/orchestrator/ routingSegmentation
Service A ecting TRUE
TRUE
TRUE TRUE TRUE TRUE TRUE TRUE
Clearable TRUE FALSE
FALSE TRUE TRUE TRUE TRUE TRUE
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
Alarm ID: Severity
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
Alarm Text
Cannot Orchestrate association to AWS Transit Gateway. No primary interface configured for AWS TGNM Integration.
Recommended Action: Configure the primary interfaces using Interface Label dialog in AWS Network Manager tab.
Cannot Orchestrate association to Azure VWAN. { }.
Recommended Action: Configure the interfaces using Interface Label dialog in Microso Azure Virtual WAN tab to proceed with the integration.
Cannot create AWS Customer Gateway for Appliance { } and label { }. Reason - No valid interface public ip address found. Recommended Action: Ensure interface has public ip address. Refer to deployment page. No AWS Customer Gateway will be created with missing public IP.
Cannot orchestrate AWS Transit Gateway Network Manager. Check the Audit log for more details. Recommended Action: Restart Orchestrator to restart AWS TGNM Orchestration.
Cannot orchestrate Azure Virtual WAN. Check the Audit log for more details. Recommended Action: Restart Orchestrator to restart Azure VWAN Orchestration.
New IPSec UDP Key Material will be activated at { }. Recommended Action: Ensure the appliance is reachable from Orchestrator.
Source /orchestration/ awstgnm
/orchestration/ azure
/orchestrator/ orchestration/ awstgnm
/orchestration/ aws_tgnm
/orchestration/ azure
/orchestrator/ ikeless
January ,
Service A ecting
TRUE
Clearable TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Alarm ID: Severity
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
: CRITICAL
Alarm Text
Orchestrator is unable to rotate IPSec UDP key material. Recommended Action: Ensure the appliance is reachable from Orchestrator.
Unable to activate IPSec UDP Key Material. IPSec UDP tunnels will go down without activation. Recommended Action: Go to the Audit Logs for more details.
Orchestration of the appliance is in-progress for more than hrs. Recommended Action: Reboot Orchestrator.
Orchestrator must be restarted if changes are made using the Custom CA Certificate Trust Store dialog box, such as enabling or disabling the Trust Store, or adding or deleting Trust Store certificates. Recommended Action: Restart Orchestrator to apply Trust Store changes.
Cannot Orchestrate association of Remote Endpoints for { } service. No primary/backup interfaces configured.
Recommended Action: Configure the primary/backup interfaces using Interface Label dialog in Service Orchestration tab.
Unable to establish connection with stats collector. Recommended Action: Unable to establish connection with stats collector. Check the status of Stats collector. It may not be running.
Cannot connect to Aruba Central. Details : { }. Recommended Action: Check Aruba Central subscription. Go to the Audit Logs for more details.
Source /orchestrator/ ikeless
/orchestrator/ ikeless
/orchestrator/ orchestration/ hung /orchestrator/ customCerts
/orchestration/ serviceOrchestration
/connectivity/ statsCollector
arubaCentral
Service A ecting
TRUE
Clearable TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
FALSE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
Alarm ID: Severity
: MAJOR
: MAJOR
: MAJOR
: MAJOR
: MAJOR
: MAJOR
: MAJOR
: MAJOR
: MAJOR
Alarm Text
Appliance time is o from that of Orchestrator: { }. Recommended Action: Check interface speed/duplex settings and negotiated values on wan /wan and lan /lan ether-channel groups.
Appliance is needed to reboot. Recommended Action: Your can reboot appliance under Administration > Tools > Reboot > Appliance Reboot / Shutdown.
Appliance configuration changes have not been saved. Recommended Action: Your can save appliance changes under Administration > Setup > Save Appliance Changes.
Orchestrator portal account or license will expire on { date}. Recommended Action: Go to Licensing to provide the required information.
Orchestrator does not have a set email address for alarm delivery. Recommended Action: Go to Alarms to configure email recipient(s).
Orchestrator is using the default SMTP settings. Recommended Action: Go to SMTP Server Settings to configure SMTP server.
Orchestrator SMTP settings are blank. Recommended Action: Go to SMTP Server Settings to configure SMTP server.
Failed to deliver an email. Recommended Action: Check SMTP Server Settings.
Silver Peak diagnostic remote access has been enabled from { } to { }. Recommended Action: You can disable this in the Remote Access Settings.
Source /orchestrator/ system/time
/orchestrator/ system /orchestrator/ system
/license
/email/alarm
/email/smtp
/email/smtp
/email/smtp /system/support
January ,
Service A ecting
FALSE
Clearable TRUE
FALSE
TRUE
FALSE
TRUE
FALSE
TRUE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
Alarm ID: Severity
: MAJOR
: MAJOR
: MAJOR
: MAJOR
: MAJOR
: MAJOR
Alarm Text
Failed to apply appliance preconfiguration.
Recommended Action: Applying preconfiguration to an appliance failed. Refer to the Preconfiguration tab and Audit logs for more details.
Changes done on the appliance will not be auto saved. Enable Auto Save in Orchestration Settings. Recommended Action: Enable Auto Save in Orchestration Settings.
Duplicate ASNs found in the network for appliances - { } with asn - { }. Recommended Action: Assign unique ASNs for appliances using Orchestrator BGP menu.
Invalid ASN found in the network for appliance - { } with asn - { }. Recommended Action: Assign unique ASN for the appliance using Orchestrator BGP menu.
Invalid ASN found in the
network for appliance - { } with
asn - { }. Amazon EC supports
all -byte ASN numbers in the
range of -
, with the
exception of , which is
reserved in the us-east- Region,
and , which is reserved in
the eu-west- Region.
Recommended Action: Assign
unique ASN for the appliance
using Orchestrator BGP menu.
Source Interface is not configured in the IP SLA configuration on Zscaler Internet Access.
Recommended Action: Configure the Source Interface for the Zscaler IP SLA configuration.
Source /orchestrator/ preconfiguration
/orchestration
/orchestrator/ orchestration/ bgp
/orchestrator/ orchestration/ bgp /orchestrator/ orchestration/ aws_tgnm
/orchestration/ zscaler/ipsla
January ,
Service A ecting
FALSE
Clearable TRUE
TRUE
FALSE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
Alarm ID: Severity
: MAJOR
: MAJOR
: MAJOR
: MAJOR
: MINOR
: MINOR
: MINOR
Alarm Text
Failed to initialize connection with ClearPass Policy Manager. { }. Recommended Action: Check ClearPass Policy Manager server parameters.
Failed to connect with ClearPass Policy Manager service endpoints. { }. Recommended Action: Check the Audit Logs for details.
Unable to connect to one or more Stats Collectors. Recommended Action: Go to Orchestrator > So ware & Setup > Setup > Stats Collector Configuration to identify issues. Take steps to restore connectivity.
There were { } failed attempts to login over last minutes.
Backup configuration not set. Recommended Action: Go to Backup to schedule backup or backup now.
Appliance does not have any wan labels required for Azure VWAN Orchestration. No third party tunnels will be built on this appliance. Recommended Action: Use appliance deployment to assign at least one wan label matching Azure VWAN Interface Label list.
Appliance does not have any wan labels required for AWS TGNM Orchestration. No third party tunnels will be built on this appliance. Recommended Action: Use appliance deployment to assign at least one wan label matching AWS Interface Label list.
Source /orchestration/ clearPass
/orchestration/ clearPass
/connectivity/ statsCollector
/authentication /system/backup
/orchestrator/ orchestration/ azure
/orchestrator/ orchestration/ aws_tgnm
January ,
Service A ecting
TRUE
Clearable TRUE
TRUE
TRUE
FALSE
TRUE
FALSE FALSE
TRUE TRUE
TRUE
TRUE
TRUE
TRUE
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Alarm ID: Severity
: MINOR
: MINOR
: WARNING
: WARNING
: WARNING
: WARNING
: WARNING
Alarm Text
Appliance does not have any wan labels required for { } Orchestration. No third party tunnels will be built on this appliance. Recommended Action: Use appliance deployment to assign at least one wan label matching Third party service Interface Label list.
HA Sync Communication is not enabled. Recommended Action: Follow release documents to enable this feature.
Orchestrator portal account or license will expire on { date}. Recommended Action: Go to Licensing to provide the required information.
Orchestrator cannot connect to Silver Peak portal using HTTPS. Recommended Action: Check portal connection and refer to the Audit Logs for more information.
CPX license will expire on { date}. [Deprecated alarm] Recommended Action: Renew your license to avoid service interruption.
CPX license will expire on { date}. [Deprecated alarm] Recommended Action: Renew your license to avoid service interruption.
CPX license will expire on { date}. [Deprecated alarm] Recommended Action: Renew your license to avoid service interruption.
Source /orchestrator/ orchestration/ serviceOrchestration
/orchestration/ deployment /license
/portal/connectivity
/portal/license/cpx
/portal/license/cpx
/portal/license/cpx
Service A ecting
TRUE
Clearable TRUE
FALSE
TRUE
FALSE
TRUE
TRUE
TRUE
FALSE
TRUE
FALSE
TRUE
FALSE
TRUE
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Alarm ID: Severity
: WARNING
: WARNING
: WARNING
: WARNING
: WARNING
: WARNING
: WARNING
Alarm Text
Your EdgeConnect account will expire in { } day(s). EdgeConnect devices in your network will stop passing tra ic on { date}. Recommended Action: Renew your license to avoid service interruption.
Your EdgeConnect account will expire in { } day(s). EdgeConnect devices in your network will stop passing tra ic on { date}. Recommended Action: Renew your license to avoid service interruption.
Your EdgeConnect account will expire in { } day(s). EdgeConnect devices in your network will stop passing tra ic on { date}. Recommended Action: Renew your license to avoid service interruption.
SaaS license will expire on { date}. Recommended Action: Renew your license to avoid service interruption.
SaaS license will expire on { date}. Recommended Action: Renew your license to avoid service interruption.
SaaS license will expire on { date}. Recommended Action: Renew your license to avoid service interruption.
Orchestrator deployment size has exceeded the recommended level of { } appliances.
Recommended Action: Contact Support to increase cloud resource allocation.
Source /portal/license/ec
/portal/license/ec
/portal/license/ec
/portal/license/saas /portal/license/saas /portal/license/saas /system/database
Service A ecting
FALSE
Clearable TRUE
FALSE
TRUE
FALSE
TRUE
FALSE
TRUE
FALSE
TRUE
FALSE
TRUE
FALSE
TRUE
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
Alarm ID: Severity
: WARNING
: WARNING
: WARNING
: WARNING
: WARNING
: WARNING
: WARNING
: WARNING
: WARNING
Alarm Text
Some appliances are paused from orchestration. Recommended Action: Go to Pause Orchestration List to see detail.
Apply Overlays is currently disabled. Recommended Action: Enable Apply Overlays in Orchestration Settings.
Apply Templates is currently disabled. Recommended Action: Enable Apply Templates in Orchestration Settings.
Your EdgeConnect Boost will expire in { } day(s). EdgeConnect devices in your network will stop using boost on { date}. Recommended Action: Renew your boost license to avoid service interruption.
Your EdgeConnect Boost will expire in { } day(s). EdgeConnect devices in your network will stop using boost on { date}. Recommended Action: Renew your boost license to avoid service interruption.
Your EdgeConnect Boost will expire in { } day(s). EdgeConnect devices in your network will stop using boost on { date}. Recommended Action: Renew your boost license to avoid service interruption.
Paused stats collection for some of the appliances.
Stats Collection is paused and will resume a er Orchestrator backup is completed.
Check Point CloudGuard Connect orchestration is paused.
Source /orchestration
/orchestration
/orchestration/ templates /portal/license/ec
/portal/license/ec
/portal/license/ec
/orchestration /orchestration/ backup /orchestration/ checkPoint
January ,
Service A ecting
TRUE
Clearable FALSE
TRUE
FALSE
TRUE
FALSE
FALSE
TRUE
FALSE
TRUE
FALSE
TRUE
FALSE FALSE
TRUE TRUE
FALSE
FALSE
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Alarm ID: Severity
: WARNING
: WARNING
: WARNING
: WARNING
: WARNING
: WARNING
: WARNING
: WARNING
: WARNING
: WARNING
Alarm Text
Zscaler Internet Access orchestration is paused.
Microso Azure Virtual WAN orchestration is paused.
Could not allocate IPs from Loopback Pool { }. Recommended Action: Change Loopback pool with enough IPs in Loopback Orchestration tag
Loss and Latency metrics are available for IPSLA monitors with appliance version later than { }.
Recommended Action: Upgrade appliance to enable loss and latency metrics for IPSLA.
Best internet breakout is configured in overlay, but appliance does not support this feature (Deprecated). Recommended Action: Check overlay configuration or upgrade appliance.
Shell access settings are di erent on the appliance than on Orchestrator.
Recommended Action: Reconcile shell access setting. Matching Orchestrator policy with appliance setting is recommended.
Connection not established for websocket receiver: { }. Recommended Action: Check websocket receiver configuration.
AWS Transit Gateway Network Manager orchestration is paused.
A new maintenance alert was received from Silver Peak.
Stats Collection is lagging behind.
Source
/orchestration/ zscaler /orchestration/ azure /orchestrator/ orchestration
/orchestrator/ orchestration/ ipsla
Service A ecting FALSE FALSE FALSE
FALSE
/orchestrator/ orchestration/ overlays
TRUE
/orchestrator/ orchestration/ shellAccessSetting
FALSE
remoteLogWebSocket FALSE
/orchestration/ aws_tgnm
FALSE
/portal/ SilverPeakMaintenance
/orchestrator/ statistics
TRUE FALSE
Clearable FALSE FALSE TRUE TRUE
FALSE
TRUE
TRUE FALSE TRUE TRUE
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Alarm ID: Severity
: WARNING
: WARNING
: WARNING
: WARNING
: WARNING
Alarm Text
Inter-Segment Routing & D-NAT rules have duplicate ip address with existing Inter-Segment Routing & D-NAT Exceptions rules. Recommended Action: Check the Inter-Segment Routing & DNAT rules and solve the duplicate ip address.
This appliance does not support Routing Segmentation.
Recommended Action: Upgrade the appliance.
ClearPass Policy Manager session paused.
Stats Collection is paused and will resume a er Orchestrator backup is completed.
Some of the Aruba Central sites don't have lat and lon. Site Name : { }.
Source /orchestrator/ routingSegmentation
/orchestrator/ routingSegmentation
/orchestration/ clearPass /orchestration/ backup /arubaCentral/ arubaCentral
Service A ecting TRUE
TRUE FALSE FALSE FALSE
Clearable TRUE
TRUE FALSE TRUE TRUE
Equipment System Type
(Orchestrator); Source Type (Equipment)
Alarm ID: Severity
: CRITICAL
: MAJOR
: MAJOR
Alarm Text
Failed to get database connection. Details: { }. Recommended Action: Reserve required Memory and CPU.
Disk partition { } is dangerously full - { }% used. Recommended Action: Go to Server Information to see detailed disk usage.
One or more Stats Collectors are critically low on disk space. Recommended Action: Go to Orchestrator > So ware & Setup > Setup > Stats Collector Configuration and review disk usage. Increase disk size where needed.
Source /system/resource
/system/disk
/system/disk/ statsCollector
Service A ecting
TRUE
Clearable TRUE
FALSE
FALSE
FALSE
FALSE
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
Alarm ID: Severity
: WARNING
Alarm Text
Disk partition { } is more than { }% used. Recommended Action: Go to Server Information to see detailed disk usage.
Source /system/disk
January ,
Service A ecting
FALSE
Clearable FALSE
Monitoring > Reporting
The options under Monitoring > Reporting focus on creating, managing, scheduling, and viewing Orchestrator reports.
Schedule and Run Reports
Monitoring > Reporting > Schedule & Run Reports
Use the Schedule & Run Reports tab to create, configure, run, schedule, and distribute reports. You can specify what you want to include in your report based on appliances, the time range of the report, tra ic type, and the types of charts to include. You can also specify email recipients for the report.
Reports and statistics help you bracket a problem, question, or analysis. Orchestrator reports fall into two broad categories:
· Statistics related to network and application performance. These provide visibility into the network, enabling you to investigate problems, address trends, and evaluate your WAN utilization.
· Reports related to status of the network and appliances. For example, alarms, threshold crossing alerts, reachability between Orchestrator and the appliances, scheduled jobs, and so forth.
Configure the following in this tab:
· Global Report By default, Orchestrator emails this preconfigured subset of charts every day. Clicking on a chart's image opens the associated tab in the browser.
To access all reports residing on the Orchestrator server, click View Reports.
· Name of the report. · Email Recipients Enter the email address to which to send the report.
To send a test email or to configure another SMTP server instead, navigate to Orchestrator > So ware & Setup > Setup > SMTP Server Settings.
If a test email does not arrive within minutes, check your firewall.
· Default range of reports Daily = memory.
· A Scheduled or Single Report.
days, Hourly =
hours. Increasing the scope uses additional
Additionally, you can specify the following for a generated report:
· Appliances in Report Fill in the box or click Use Tree Selection to display appliances.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· Amount of Top Reports ( , , , , ). · Tra ic Type. · Select the check boxes next to the following charts to be included in the report:
Application Charts Tunnel Charts Appliance Charts
· Lock Scales for Local Trends Automatically scales graphs for specified scheduled reports.
TIP: To specify the timezone for scheduled jobs and reports, navigate to Orchestrator > So ware & Setup > Setup > Timezone for Scheduled Jobs.
View Reports
Monitoring > Reporting > View Reports Use this tab to view and download reports in PDF form. Reports can be filtered by keywords or sorted by name, size, or date last modified. These reports can also be emailed depending on the configuration set on the Schedule & Run Reports tab.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
S
R
January ,
Scheduled and Historical Jobs
Monitoring > Reporting > Scheduled & Historical Jobs This tab has two views:
· It provides a central location for viewing and deleting scheduled jobs, such as appliance backup and any custom reports configured for distribution.
· It provides a central location for viewing historical jobs.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Monitoring > Bandwidth
The options under Monitoring > Bandwidth focus on reports related to performance, tra ic, and appliance status. Additionally, Threshold Crossing Alerts are helpful in monitoring your network.
Overlay-Interface-Transport
Monitoring > Bandwidth > Overlays & Interfaces > Overlay-Interface-Transport These charts display the distribution of tra ic across three dimensions--overlays, interfaces, and transport. You can view each option individually, or in relation to another. For instance, for a given interface, you can see how the overlay tra ic is distributed. You can also view how much tra ic is transported from one EdgeConnect appliance to another on the SD-WAN fabric (Overlays), versus how much is broken out locally, direct to the internet. The Underlay legend displays non-overlay tra ic.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Interface Bandwidth Trends
Monitoring > Bandwidth > Overlays & Interfaces > Interface Trends
The Interface Bandwidth Trends tab shows interface statistics for a single selected appliance in real time or for a specific period. Real time charts show the past five minutes of usage and refresh every second. By default, charts display transmit and receive statistics for bandwidth and firewall denies. You can toggle peak statistics or maximum bandwidth statistics on or o by clicking the sample indicator line next to each statistic name.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
You can customize the chart settings using the controls at the top of the tab, as follows:
Option Time period
Packets/bps
Show in UTC Large Lock Scale Payload
Description
Click Real Time to enable live statistics for all available interfaces.
Click a predefined time period ( h, h, d, d) to display statistics over the last hour, four hours, day, or seven days.
Click Custom and set your own custom time range to display statistics for that time period. Click Packets to display statistics according to the number of packets sent and received.
Click bps to display statistics for bits per second sent and received. Click this option to toggle chart times between local appliance time or UTC. Click this option to toggle the size of the charts between smaller (default) and large. By default, each chart uses its own scale that is relative to the data displayed. Click this option to apply and lock the same scale to each chart. By default, charts show complete bandwidth usage statistics--payload plus all SD-WAN overhead (headers, FEC, and so forth). To see bandwidth usage for payload only, click to enable the Payload button.
Interface Summary
Monitoring > Bandwidth > Overlays & Interfaces > Interface Summary This tab shows interface summary statistics, including inbound and outbound Packets or Bytes per interface, as well as Firewall Denies (Drops). Statistics are summarized for the selected time period.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Application Bandwidth
Monitoring > Bandwidth > Applications > Summary The Application Bandwidth chart shows which applications have sent the most bytes.
Application Pie Charts
Monitoring > Bandwidth > Applications > Pie Charts The Application Pie Charts show what proportion of the bytes an application consumes on the LAN and on the WAN. Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· Mousing over the charts and the legends reveals additional information.
· The WAN charts identify what percentage of the bandwidth the EdgeConnect appliance saved by optimizing the tra ic.
Application Trends
Monitoring > Bandwidth > Applications > Trends This tab shows application trends over time.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Top Talkers
Monitoring > Bandwidth > Identifiers > Top Talkers This tab lists the IP addresses that use the most bandwidth.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
You can also view each IP's destinations.
Domains
Monitoring > Bandwidth > Identifiers > Domains
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
This tab lists the domains that use the most bandwidth.
The number of Subdomains selected determines how the table aggregates subdomains for display. An asterisk (*) indicates that more subdomains would be displayed if a higher number were selected. This is not a filter, but rather a grouping convenience.
Countries
Monitoring > Bandwidth > Identifiers > Countries This tab lists the countries that use the most bandwidth.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Ports
Monitoring > Bandwidth > Identifiers > Ports This tab lists the ports that use the most bandwidth.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Tra ic Behavior
Monitoring > Bandwidth > Identifiers > Tra ic Behavior The Tra ic Behavior report identifies and categorizes tra ic based on low-level characteristics of the data streams. The behavior types are:
· Voice · Video Conferencing · Video Streaming · Bulk Data Transfer · Interactive · Undetermined You can also specify these categories as match criteria when creating policies or ACLs (Access Control Lists).
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Appliance Bandwidth
Monitoring > Bandwidth > Appliances > Summary The Appliance Bandwidth chart lists the top appliances based on the total volume of inbound and outbound tra ic before reduction. It shows how many bytes the EdgeConnect appliance saved when transferring data, aggregated over a selectable time period.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Appliance Max Bandwidth
Monitoring > Bandwidth > Appliances > Max The Appliance Max Bandwidth chart lists the top appliances by the peak throughput (in either direction) within a selected time period. It compares the system bandwidth of the appliance to the e ective bandwidth it is providing.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Appliance Bandwidth Utilization
Monitoring > Bandwidth > Appliances > Utilization The Appliance Bandwidth Utilization chart lists the top appliances by the average percent of available bandwidth used. This helps you determine whether an appliance that is optimizing tra ic is reaching its capacity.
Appliance Bandwidth Trends
Monitoring > Bandwidth > Appliances > Trends The Appliance Bandwidth Trends chart shows bandwidth usage over time. For each Business Intent Overlay, the Link Bonding Policy specified determines the bandwidth e iciency. To guarantee service quality levels, High Availability requires the most overhead, and High E iciency requires the least. Charts display the total bandwidth used. The Payload option shows how much raw data is transmitted. At the same time, it exposes the Peaks option, which enables the viewing of peak transmissions.
Appliance Packet Counts
Monitoring > Bandwidth > Appliances > Packet Counts The Appliance Packet Counts chart lists the top appliances according to the sum of the inbound and outbound LAN packets, showing how much tra ic was sent.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Tunnels Bandwidth
Monitoring > Bandwidth > Tunnels > Summary The Tunnel Bandwidth chart shows the tunnels that are sending the most bytes--that is, the most active tunnels.
SU
Underlays are actual IPSec tunnels and physical paths taken (such as MPLS). Overlays are logical tunnels created for di erent tra ic types and policies (such as VoIP).
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
T
This shows trace route information between the tunnel source and destination IP addresses. It shows intermediate hops, their IP addresses, and the latency between each hop.
LV
Live View shows the live bandwidth, loss, latency, and jitter on all the tunnels. For an overlay, it also shows live tunnel states--Up, Browned Out, or Down.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
LiveView shows in real time how synergy is created to maintain coverage. The real-time chart shows the SD-WAN overlay at the top and the underlay networks at the bottom. The overlay is green and is delivering consistent application performance while both underlays are in persistent brown-out state.
Tunnels Pie Charts
Monitoring > Bandwidth > Tunnels > Pie Charts The Tunnel Bandwidth Pie Charts show the proportion of the bytes a tunnel consumes on the LAN and on the WAN.
· Hovering over the charts and the legends reveals additional information. · The WAN charts identify the percentage of the bandwidth the appliance saved by optimizing the
tra ic.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Tunnel Bandwidth Trends
Monitoring > Bandwidth > Tunnels > Trends The Tunnel Bandwidth Trends chart shows tunnel bandwidth usage over time.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· For each Business Intent Overlay, the specified Link Bonding Policy determines the bandwidth e iciency.
· To guarantee service quality levels, High Availability requires the most overhead and High E iciency requires the least.
· Charts display the total bandwidth used. · The Payload option shows how much raw data is transmitted. At the same time, it exposes the
Peaks option, which enables the viewing of peak transmissions. NOTE: Underlay tunnels are a shared resource among overlays. Therefore, underlay charts display aggregated data.
Tunnel Packet Counts
Monitoring > Bandwidth > Tunnels > Packet Counts The Tunnel Packet Counts chart shows the tunnels that sent the most packets.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
DRC Bandwidth Trends
Monitoring > Bandwidth > Tunnels > DRC Trends The DRC Bandwidth Trends tab shows Dynamic Rate Control statistics over time. Dynamic Rate Control allows the Hub to regulate the tunnel tra ic by lowering each remote appliance's Tunnel Max Bandwidth. The smallest possible value is that appliance's Tunnel Min(imum) Bandwidth.
D
RC
Tunnel Max Bandwidth is the maximum rate at which an appliance can transmit.
Auto BW negotiates the link between a pair of appliances. In this example, the appliances negotiate each link down to the lower value ( Mbps).
However, if A and B transmit at the same time, Hub could easily be overrun. If Hub experiences congestion:
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· Enable Dynamic Rate Control allows the Hub to regulate the tunnel tra ic by lowering each remote appliance's Tunnel Max Bandwidth. The smallest possible value is that appliance's Tunnel Min(imum) Bandwidth.
· Inbound BW Limit caps how much the appliance can receive.
Flows - Active and Recent
Monitoring > Bandwidth > Flows > Active & Recent Flows The Flows tab enables you to view, filter, and manage flows for all your appliances. This tab also generates the Active & Recent Flows report, with or without filtering. This report retrieves the maximum number of most recent flows that are evenly distributed among the selected appliances.
Field Application
App Group Domain Protocol IP/Subnet
Port Segment Zone
VLAN DSCP Overlay
Description
Includes built-in applications, custom applications, and user-created application groups. Select the text field and a list displays. Choose the application you want to apply to your flow or enter the exact application you want to apply.
Includes the application group created by the user. Select the text field and a list displays. Choose the application group you want to apply to your flow or enter the exact application group you want to apply.
Includes the domain you can specify to filter your flow. Use the format .domain. or __.domain.[com, info, edu, org, net,* and so forth.*]* Select the text field and a list displays. Choose the domain you want to apply.
You can specify the protocol you want to apply to your filter. Select the text field and a list displays. You can select all or specify an individual protocol to apply.
This shows the flows that match both SRC IP and DEST IP as the two endpoints if SRC:DEST is enabled. If not enabled, all sources will appear when the filter is applied. You can apply this filter by clicking Enter without selecting the Apply button if you want to do so.
This displays ports with SRC and DEST as the two endpoints if SRC: DEST is enabled. If not enabled, all ports will appear when the filter is applied.
Displays flows originating in the specified segment. Click the double arrow icon to enable both fields and filter by destination segments as well.
You can filter flows to the desired firewall zone. Select the text field and a list displays. If the From:To check box is not enabled, flows are filtered from and to the specified zone. If the check box is enabled, the flows are filtered from both the filtered From:To zones.
Identifies the Virtual Local Area Network of a packet. Enter the VLAN ID you want to apply to your flow in the text field. EdgeConnect supports up to VLANs.
Select the desired DSCP from the list. You can choose any or a specified DSCP from the list.
The overlay the flow are applied. Overlays are defined on the Business Intent Overlay tab.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Transport
Flow Characteristics
Include EdgeHA Include Built-In Active/Ended
Duration Bytes Filter
Description
Select any of the three transport types: SD-WAN, Breakout, and Underlay. You can also apply a third-party service in this column if you have one configured. You can apply any of the following flow characteristics to your flow: Boosted, Directly Attached, Pass-Through, Stale, Route Dropped, Firewall Dropped, Asymmetric, and Slow Devices.
NOTE: You can select only one flow characteristic at a time. If not selected, Edge HA flows are excluded (default). If selected, the flows between Edge HA will be included. Includes the built-in policy flows. If not selected, they are excluded (default). If selected, they will be included. You can select if you want to apply an active or ended flow to as a filter. If selected, you can designate the started or ended time of the flow in the drop down. If Custom is selected from the date widgets will be enabled to specify an exact time frame. Shows flows that have lasted through a specific time frame. You can select < (less than) or > (greater than), and enter a specific duration (in minutes). You can specify whether you want to filter flows that have transferred their total bytes or within the last five minutes. This list has all the saved filters. When selected, the filter configurations are loaded. See more information below about the Filter option.
Filter You can configure specific filters in this field. Select the drop-down menu to see a list of default filters you can apply to your flows. When configured, you can add, edit, or delete filters if you select the edit icon. Complete the following steps to add a filter:
. Select the Edit icon next to the Filter drop down. . Create a filter or select one from the list. . Select +Add. . Select Save.
You can also select the history tab with the two arrows next to the Filter field if you want to go back to a previously applied filter. A maximum of previously applied filters can be saved.
R
R
F
· You can Reclassify or Reset [Selected / All Returned / All] flows:
Resetting the flow kills it and restarts it. It is service-a ecting.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Reclassifying the flow is not service-a ecting. If a policy change makes a flow stale or inconsistent, then reclassifying makes a best e ort attempt to conform the flow to the change. If the flow cannot be successfully "diverted" to this new policy, then an Alert asks if you want to reset.
Selected flows are individually selected; All Returned results from filtering (up to the max number of returnable flows); and All refers to all flows, visible or not.
· To export the table as a .csv file, select Export. · Reduction (%) refers to reduced WAN tra ic, relative to a specific appliance:
Reduction (%) for Outbound tra ic = WAN)/Received from LAN
Reduction (%) for Inbound tra ic = WAN)/Transmitted to LAN
(Received from LAN Transmitted to (Transmitted to LAN Received from
· Flow Details are primarily to assist Silver Peak in troubleshooting and debugging.
· To set the column visibility, right-click any header in the Flows table. This will enable you to hide or unhide any selected fields.
· You can also select, drag, and drop any of the columns in the table to the order you want.
A
I
F
Note the following version specific and general information about flows:
ECOS . B
C
All flows in drop state are reset at flow reclassify time, overriding intervals described below.
ICMP/UDP F
· For any non-TCP connection (such as icmp, UDP), a flow is deleted only from inactivity.
· The inactivity timeout is three minutes for this type of flow. For example, a er a ping connection is stopped, the flow still appears in the "Current Flows" for three minutes. This setting can be modified by using the system template.
TCP N A
F
· For a TCP connection, a flow is deleted under di erent timeouts. A half-open (single SYN) connection stays for two minutes if the connection does not establish correctly. A half-close (single FIN) or unclean-close (RST) deletes the connection a er two minutes. A normal close (FIN-FIN) deletes the connection almost immediately.
· A TCP connection also has an inactivity timeout. If no activity is detected on an established TCP connection for minutes (by default), the flow is deleted. This setting can be modified by using the system template.
TCP A
F
· Timeout is determined by the configured Keep Alive Timers.
A heartbeat ACK is sent to idle endpoints a er ten minutes.
If the endpoints have closed, an RST is returned and the connection is deleted a er two more minutes due to the unclean-close.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· The timers can be modified per sequence number by using the Optimization Template.
Idle Timeout: The period of time that a TCP connection has to be idle before a keep-alive is sent. (Default seconds)
Probe Interval: The time in seconds between each keep-alive probe. (Default seconds)
Probe Count: The number of times TCP probes the connection to determine whether it is alive a er the keep-alive option has been activated. The connection is assumed to be lost a er sending this number of keep-alive probes. (Default )
· Auto Reset Flows - Enables or disables the auto-reset of TCP flows. If a connection is seen by an appliance but a er the handshake already completed, the connection would normally remain but without TCP Acceleration. If this feature is enabled, and a connection is reclassified in the Flows report, around seconds later, it will be reset. When the endpoints re-establish the flow, it now will be subject to the optimization and route policies it matches. This feature is disabled by default. It can be enabled per sequence number by using the Optimization Template.
O
I
Outbound and Inbound in Aruba EdgeConnect refer to the direction of tra ic as it flows from the LANside to the WAN-side of an appliance, or from the WAN-side to the LAN-side of an appliance. These are di erent from actual interface names, such as WAN or LAN .
Description
Inbound LAN Outbound LAN Inbound WAN Outbound WAN
Counter Type
LAN TX LAN RX WAN RX WAN TX
Tra ic Received On
WAN-side interface LAN-side interface WAN-side interface LAN-side interface
Tra ic Forwarded To
LAN-side interface WAN-side interface LAN-side interface WAN-side interface
WAN optimization data reduction is calculated using the following formula: Data Reduction % = (LAN Bytes - WAN Bytes) / LAN Bytes
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Appliance Flow Counts
Monitoring > Bandwidth > Flows > Counts The Appliance Flow Counts chart lists the top appliances according to which ones had the most flows within a selected time period. When you filter on All Tra ic, the Created and Deleted columns display the number of new and ended flows for that same time period. The Max column value is from a one-minute window within the time range.
Appliance Flow Trends
Monitoring > Bandwidth > Flows > Trends
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
The Appliance Flow Trends chart shows the number of flows, packets, and bits/second through the appliance over time. It also di erentiates among TCP (accelerated and unaccelerated) flows and non-TCP flows.
Tunnel Flow Counts
Monitoring > Bandwidth > Flows > Tunnel Counts The Tunnel Flow Counts chart lists the tunnels with the most flows on average. It di erentiates flows into TCP (accelerated and unaccelerated) and non-TCP, and also shows peak values.
DSCP Bandwidth
Monitoring > Bandwidth > DSCP > Summary The DSCP Bandwidth chart shows the DSCP classes that are sending the most data.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
DSCP Pie Charts
Monitoring > Bandwidth > DSCP > Pie Charts The DSCP Pie Charts show the proportion of tra ic in each DSCP class. Hovering over the charts and the legends reveals additional information.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
DSCP Trends
Monitoring > Bandwidth > DSCP > Trends This tab shows DSCP usage over time.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Tra ic Class Bandwidth
Monitoring > Bandwidth > QoS > Summary The Tra ic Class Bandwidth chart shows the QoS tra ic classes that are sending the most data.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Tra ic Class Pie Charts
Monitoring > Bandwidth > QoS > Pie Charts The Tra ic Class Pie Charts show the proportion of tra ic in each Tra ic class. Hovering over the charts and the legends reveals additional information.
QoS (Shaper) Trends
Monitoring > Bandwidth > QoS > Trends This tab shows how much bandwidth any tra ic class uses over time.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Shaper Summary
Monitoring > Bandwidth > QoS > Shaper Summary Use this tab to view the Shaper Summary for all tra ic classes on selected appliances. The Shaper delays certain packet types to optimize overall network performance. For more information about shaping, see Shaper Tab and Shaper Template.
· Use the controls above the table to specify how much data--time and date range--you want to see in the summary.
· Use the Top X filter to limit data according to top applications by total tra ic bytes. You can include the top , , , , or applications.
· Click Outbound or Inbound to change the summary by tra ic direction.
The following information is included in the Shaper Summary:
Field Appliance
Description
Name of the appliance that is shaping tra ic to generate the Shaper Summary.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Tra ic Class
Total Bytes Shaped Bytes Shaped Packets Average Wait Time (ms)
Drop Packets
Other Drops Trends
Description
Tra ic classes defined by Shaper parameters. The following four are pre-configured by Orchestrator: Real-time, Interactive, Default, and Best E ort. The user can configure the remaining six classes. Total amount of bytes being shaped.
Amount of bytes used for shaping.
Amount of packets used for shaping.
Specified amount of time Orchestrator waits until packets are dropped while shaping is in progress. Amount of packets that have been reported as dropped due to expiration in the Shaper queue. Refers to all other drops besides the expired drop packets.
Click the graph icon to see the Shaper Bandwidth Trends charts, which show Inbound and Outbound tra ic trends in graphs.
Boost Tab
Monitoring > Bandwidth > Boost > Summary This tab provides a summary of the Boost configuration and usage for selected appliances. You can change the time period for which Boost statistics are displayed by using the hr, hr, d, and d buttons at the top of the tab, or click Custom to specify a custom date range and granularity.
This tab provides the following details about your Boost configuration:
Field Appliance Configured Boost (Kbps) % Time Insu icient Boost
Minutes Insu icient Boost
Description
Name of the appliance. Boost bandwidth configured on the appliance. Percentage of time when Boost bandwidth was not available for use. Amount of time (in minutes) when Boost bandwidth was not available for use.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Total Boost Bytes Trends
Description
Total amount of Boost bandwidth used over the specified time range. Graph displaying detailed Boost trends for the specified appliance.
The total Boost bandwidth available to your network is controlled by your license. If necessary, you can purchase additional Boost bandwidth.
If a Boost license is available, you can assign Boost to appliances on the Licenses tab or on an appliance's Deployment page. You can also configure Boost allocation using Business Intent Overlays.
NOTE: Your network uses a single queue for Boost across all appliances. When that queue is completely utilized, appliances will have insu icient Boost for any additional demands.
BT
To view Boost trends for a specific appliance, click the graph icon in the Trends column. The Boost Trends graph displays Configured Boost, Boost, and Minutes Insu icient Boost over the time period specified on the Boost tab.
C
BC
To change the Boost configuration of one or more appliances selected in the table, click Configure Boost. You can increase or decrease Boost bandwidth by %, or set the bandwidth to a specific value in Kbps. Click Apply to save and apply your changes, or click Close to cancel.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Firewall Drops
Monitoring > Bandwidth > Firewall Drops > Summary You can use the Firewall Drops tab to see the statistics on various flows, packets, and bytes dropped or allowed by a zone-based firewall for a given time range.
· You can select a range of time (in hours and days) to view the firewall drops. You can also select to view in Matrix or Table view.
· Select Export to export the report to an excel spreadsheet.
· If segmentation is enabled, you can specify the Source Segment and the Destination Segment to search for the flows, packets, and firewall drops in that segment.
· In the charts column, you can select the chart icon. · In this pop-up, you can see packets, and bytes dropped or allowed by a zone-based firewall for a
given time range.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Monitoring > Tunnel Health
The options under Monitoring > Tunnel Health focus on reports related to tunnel health.
Live View
Monitoring > Tunnel Health > Live View Live View shows the live bandwidth, loss, latency, and jitter on all tunnels. For an overlay, it also shows live tunnel states--Up, Browned Out, or Down.
LiveView shows in real time how synergy is created to maintain coverage. The real-time chart shows the SD-WAN overlay at the top and the underlay networks at the bottom. The overlay is green and delivering consistent application performance while both underlays are in persistent brown-out state.
Loss Summary
Monitoring > Tunnel Health > Loss > Summary The Loss chart shows tunnels that have the most dropped packets. Statistics are summarized for the selected time period.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Loss percentages, before and a er Forward Error Correction (FEC), are determined by data that the local EdgeConnect observes. Two types of loss are measured:
· Pre-FEC Loss % Percent of data packets lost before applying FEC / Total sent packets. This measure indicates what the packet loss would be if FEC were not applied.
· Post-FEC Loss % Percent of data packets lost a er applying FEC / Total sent packets. This measure indicates what the packet loss is a er FEC is applied.
The total number of sent packets over the link is calculated based on three parameters:
· Total received packets (SUM_WRX_PKTS) · Recovered packets from FEC (CORRECTED_PACKETS) · Unrecovered packets a er FEC (SUM_POST_LOSS)
Calculations are based on the following formulas:
· Total sent packets = SUM_WRX_PKTS + CORRECTED_PACKETS + SUM_POST_LOSS · Packets lost in transmission (SUM_PRE_LOSS) = CORRECTED_PACKETS + SUM_POST_LOSS
Based on the above information, the Pre-FEC and Post-FEC Loss percentages are calculated as follows:
· Pre-FEC Loss (%) = SUM_PRE_LOSS * / (SUM_WRX_PKTS + SUM_PRE_LOSS) · Post-FEC Loss (%) = SUM_POST_LOSS * / (SUM_WRX_PKTS + SUM_PRE_LOSS)
Loss Trends
Monitoring > Tunnel Health > Loss > Trends The Loss Trends chart shows tunnel packet loss over time, before and a er Forward Error Correction (FEC).
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
NOTE: Underlay tunnels are a shared resource among overlays. Therefore, underlay charts display aggregated data.
Jitter Summary
Monitoring > Tunnel Health > Jitter > Summary The Jitter chart shows the tunnels that have the most Jitter. Statistics are summarized for the selected time period. Jitter can be caused by congestion in the LAN, firewall routers, bottleneck access links, load sharing, route flapping, routing table updates, and timing dri s.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Jitter Trends
Monitoring > Tunnel Health > Jitter > Trends This tab shows tunnel jitter time.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
NOTE: Underlay tunnels are a shared resource among overlays. Therefore, underlay charts display aggregated data.
Latency Summary
Monitoring > Tunnel Health > Latency > Summary The Latency tab shows summary statistics for latency (transmission delay) on an in-band, end-to-end tunnel basis for the selected time/date range. Either overlay or underlay tunnels can be displayed, and anywhere between the top to top tunnels are displayed by round-trip time (RTT).
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
On this tab, latency is a measure of the RTT within a tunnel in milliseconds. Values on the le display RTT as measured by the local appliance. Values on the right display RTT as measured by the appliance at the remote end of the tunnel. Some column descriptions follow:
· Std. Latency Standard deviation (in milliseconds) of latency values for the tunnel within the specified period. Standard deviation is a measure of the amount of variation in a set of values. Low standard deviation indicates that the values tend to be close to the mean or expected value while a high standard deviation indicates that the values are spread over a wider range.
· Max Latency (ms) Maximum RTT value (in milliseconds) for the tunnel within the specified range.
· Avg Latency (ms) Average RTT value (in milliseconds) for the tunnel within the specified range. High latency can negatively a ect throughput in the network, most noticeably for TCP tra ic. Physical distance has the most significant impact on latency. For example:
· If data is crossing the United States, you can expect delays from to milliseconds. · International transmissions can normally experience delays up to milliseconds. · Satellite transmissions o en have delays of about / second, and up to several seconds are
possible. High latency can also be caused by equipment (hop-by-hop delays), or by loss or congestion resulting from lost packets, lost acknowledgments, and necessary retransmissions. TCP Acceleration (a function of Boost) can mitigate the impact of latency on throughput. In addition, path conditioning and packet re-ordering (a function of Business Intent Overlay link bonding) can mitigate the impact of loss and out-of-order packets on TCP throughput by reducing the number of retransmissions.
Latency Trends
Monitoring > Tunnel Health > Latency > Trends The Latency Trends chart shows tunnel latency over time.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
NOTE: Underlay tunnels are a shared resource among overlays. Therefore, underlay charts display aggregated data.
Out of Order Packets Summary
Monitoring > Tunnel Health > Out of Order Packets > Summary The Out of Order Packets chart shows the tunnels that receive the most packets out of sequence relative to how they were sent.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Out of Order Packets Trends
Monitoring > Tunnel Health > Out of Order Packets > Trends The Out of Order Packets Trends chart shows tunnel packets that are out of order over time, before and a er Packet Order Correction (POC).
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
NOTE: Underlay tunnels are a shared resource among overlays. Therefore, underlay charts display aggregated data.
Mean Opinion Score (MOS) Summary
Monitoring > Tunnel Health > MOS > Summary The Mean Opinion Score (MOS) is a commonly used measure for video, audio, and audiovisual quality evaluation. Perceived quality is rated on a theoretical scale of to ; the higher the number, the better the quality.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
The value can be a ected by loss, latency, and jitter. In practice, a value of . is considered an excellent quality target.
Mean Opinion Score (MOS) Trends
Monitoring > Tunnel Health > MOS > Trends The Mean Opinion Score (MOS) is a commonly used measure for video, audio, and audiovisual quality evaluation. Perceived quality is rated on a theoretical scale of to ; the higher the number, the better the quality.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· The value can be a ected by loss, latency, and jitter. In practice, a value of . is considered an excellent quality target.
· The Min MOS value reports the worst score within a minute.
Tunnels Summary
Monitoring > Tunnel Health > Other Tunnel Statistics > Tunnels Summary This tab summarizes tunnel statistics, including reduction, throughput, latency, and packet loss.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
For each Business Intent Overlay, the specified Link Bonding Policy determines the bandwidth e iciency. To guarantee service quality levels, High Availability requires the most overhead and High E iciency requires the least. The table shows the total bandwidth used. The Payload filter removes overhead from the displayed values.
Configuration
The options under Configuration focus on how to configure Orchestrator. Categories include the following:
· Overlays & Security · Networking · Templates & Policies
Policies Templates
· Cloud Services
Configuration > Overlays & Security
The options under Configuration > Overlays & Security focus on configuring Business Intent Overlays (BIOs), interface labels, hubs, regions, deployment profiles, and internet tra ic definitions. Other options are related to security, SSL certificates, appliance configuration and discovery, and licensing. NOTE: Topics in this section relate to deploying a WAN optimization network or a so ware-defined Wide Area Network (SD-WAN). From a configuration standpoint, an SD-WAN uses Business Intent Overlays (BIOs), whereas a WANop network does not.
Business Intent Overlays
Configuration > Overlays & Security > Business Intent Overlays Use the Business Intent Overlays (BIOs) tab to create separate, logical networks that are individually customized to your applications and requirements within your network. By default, there are several predefined overlays matching a range of tra ic within your network. The overlay summary table is used for easy comparison of values between your various configured overlays. You can select any link in the table and the Overlay Configuration dialog box launches. You can also temporarily save your changes before o icially applying those changes to your overlay. The pending configuration updates are indicated by an orange box around the edited item. Click Save and Apply Changes to Overlays when you are ready to apply the changes and click Cancel if you want to delete the changes.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
O
Orchestrator matches tra ic to an ACL, progressing down the ordered priority list of overlays until it identifies the first one that matches. The matched tra ic is then analyzed against the overlay's Internet Tra ic configuration and forwarded within the fabric, or broken out to the internet based on the preferred policy order. If the so ware determines that the tra ic is not destined for the internet, it refers to the WAN Links & Bonding Policy configuration and forwards tra ic accordingly within the overlay.
SD-WAN T
I
S
Overlay Configuration
You can begin to configure or modify a default overlay in the Overlay column. You can also select any icon on the Business Intent Overlay page and the selected editor or dialog box opens.
Complete the following steps to configure your overlay.
. Select the name of the overlay. The Overlay Configuration window opens. If you want to edit the default overlay or create a new overlay, enter the new name of the overlay in the Name field.
. Select the Match field and choose the match criteria from the menu.
. Click the Edit icon next to the ACL field. To apply default ACLs or create your own, select Add Rule in the Associate ACL window.
. Click Save.
Region
To view your associated region within your overlay, select the Regions icon in the Region column in the overlay summary table. You can modify, remove, or edit overlay settings for a selected region by expanding the list at the right-top of the Overlay Configuration window. For more information about Regions, refer to the help on the tab.
Topology
Select the type of topology you want to apply to your overlay and network. You can choose between the following types of topology:
· Mesh: Choose Mesh if you want to make a local network.
· Hub & Spoke: Hubs are used to build tunnels in Hub & Spoke networks and route tra ic between regions. If you choose Hub & Spoke, any appliance set as a hub will serve as a hub in any overlay applied to it. Hubs in di erent regions mesh with each other to support regional routing. To configure hubs, select the Hubs link at the top of the page.
· Regional Mesh and Regional Hub & Spoke: To streamline the number of tunnels created between groups of appliances that are geographically dispersed, you can assign appliances to Regions and select Regional Mesh or Regional Hub & Spoke.
. At the top of the page, select Regions.
. You can add and remove a region or view the status of each overlay within a selected region.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
B
SD-WAN U T I
You can select which WAN interfaces you want to use for each device to connect to the SD-WAN. First, you assign for your tra ic to go to the Primary interfaces. If the primary interface is unavailable or not meeting the desired Service Level Objectives configured, the Backup interfaces are used. Move the desired interfaces between Primary and Backup. The interfaces are grayed out until moved into the Primary or Backup boxes.
· Cross Connect allows you to define tunnels built between each interface label. Each appliance has a maximum number of tunnels that it can support, and using Cross Connect increases the number of tunnels created.
· Add Backup if Primary Are: Specifies when the system should use the Backup interfaces.
· +Secondary: Click +Secondary to enable secondary interfaces. You can specify when you choose Orchestrator to go to Secondary by selecting Down or Not Meeting Service Levels.
S
LO
Tra ic is routed through the primary interfaces exclusively unless the service level thresholds for Loss, Latency, or Jitter have been exceeded. If this occurs, backup interfaces are added so that the service level objective can be met.
NOTE: Primary interfaces can still be used to support the overall Service Level Objective.
LB
P
You can select the following Link Bonding Policies when you need to specify the criteria for selecting the best route possible when data is sent between multiple tunnels and appliances. You can also select custom bonding, which enables you to customize link prioritization and tra ic steering policies based on multiple criteria.
Field High Availability High Quality High Throughput High E iciency
Description
For critical services that cannot accept any interruption at all. For example, call center voice or critical VDI tra ic. For typical real-time services, such as VoIP or video conferencing. For example, WebEx or business-quality Skype, VDI tra ic. For anything where maximum speed is more important than quality. For example, data replication, NFS, file transfers, and so forth. For everything else. This option sends load balance information on multiple links, with no FEC or overhead.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Custom
Description Specify the following: FEC Wait Time (in milliseconds) Exclude links: Overlay or Underlay brownout Link Reorder Frequency: Aggressive, Moderate, Conservative Path Conditioning (in percentage) Packet Reorder Wait Time (in milliseconds) Link Selection: Waterfall or Balanced
Q S, S
,O
To further customize your overlay configuration, enter the appropriate information for the following fields.
Field FW Zone Boost Peer Unavailable Option
Tra ic Class LAN DSCP WAN DSCP
Description
Select the firewall zone you want to restrict tra ic to from an overlay.
Select True or False if you want to apply any purchased Boost to your overlay. Select the following options you want your tra ic to go if a peer is unavailable: Use MPLS, Use Internet, Use LTE, Use Best Route, Drop. Channels tra ic to the desired queue based on the applied service. Select Best Route or Drop. Select the DSCP you want to apply as a filter to the LAN interface.
Select the DSCP you want to apply as a filter to the WAN interface.
B
T
I
CS
You can use the Breakout Tra ic to Internet & Cloud Services to monitor and manage tra ic coming to or from the internet.
HV
B
B
S
You can create di erent breakout policies for hubs. Any hub you select in the Topology section also displays at the top of the Internet Tra ic to Web, Cloud Services tab. When you select an individual hub, the Use Branch Settings displays, selected, to the right of the screen. Complete the following steps to create a custom breakout policy for that hub:
. Clear the check box for Use Branch Settings. . Configure the now accessible parameters. . Click OK.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
P
PO
A
P
· You can move policies back and forth between the Preferred Policy Order and the Available Policies columns. You can also change their order within a column. The defaults provided are Backhaul via Overlay, Break Out Locally, and Drop.
· When you choose Break Out Locally, confirm that any selected interface that is directly connected to the Internet has Stateful Firewall specified in the deployment profile.
· You can add services (such as Zscaler, Fortigate, or Palo Alto). The service requires a corresponding Internet-breakout (Passthrough) tunnel for each appliance tra ic to that service. To add a service, select the edit icon next to Available Policies.
· The Default policy you configure for internet breakout is pushed to all appliances that use the selected Overlay. However, you might want to push di erent breakout rules to your hubs.
B OL
UT I
,A
I
, LS
You can select the best internet breakout links by specifying the type of Link Selection: Waterfall or Balance. Drag and drop an available interface into Primary or Backup in the Break Out Locally Using These Interfaces and complete the following steps.
. Select Waterfall or Balanced under Link Selection.
. If waterfall is chosen, links are ranked on the selected threshold, from best to worst. The best link is chosen first and the next best link is chosen when the current, best link's bandwidth utilization is full. Select one of the following ways you want Orchestrator to first determine which link to use.
Field
Auto MOS Loss Latency
Description
Default threshold if you do not specify the threshold for your links. Measure of the voice connect quality. Configured amount of loss the primary link is given. Configured amount of time you assign to the primary link for latency.
NOTE: Backup links are used only when all primary links are down.
. If Balanced is chosen, enter the amount for the three Performance Thresholds: Loss, Latency, and Jitter. Tra ic is dispersed between one or more of the configured top or equally ranked links.
WARNING: Random links are selected if no brownout thresholds for Loss, Latency, and Jitter have been set.
. Click the edit icon next to Break Out Locally Using these interfaces and complete the dialog box if you choose to set IP SLA Rule destinations.
NOTE: You can still enable Path Loading even if you do not select any primary links.
If you select Exclude links That Are Below Performance Thresholds, the selected policy order is applied.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Apply Overlays
Configuration > Overlays & Security > Apply Overlays Use this page to add or remove overlays from appliances. If you select Edit Overlays, you will be redirected to the Business Intent Overlay tab for further customization. You can also view the status of the overlays if you select View Status.
Interface Labels
Configuration > Overlays & Security > Interface Labels
To make it easier to identify connections, you can create descriptive interface labels for each link type in your environment. Use labels to match and route tra ic into overlays. The label type specifies "which side" of the network the interface is on. LAN labels identify LAN-side data (subnets), and WAN labels identify the WAN service, such as MPLS, Internet, or LTE. If you edit a label, tunnels that reference that labeled interface are renamed accordingly.
· LAN labels can be selected for a tra ic access policy in a Business Intent Overlay (BIO), which in turn is applied to an appliance with those LAN labels. All tra ic matching those interfaces is automatically processed by that BIO. If you use an ACL for a tra ic access policy, the LAN label is ignored for that BIO.
· WAN labels are used by Orchestrator and BIOs to determine which interfaces on di erent appliances should be connected by tunnels built by Orchestrator. Orchestrator automatically pushes interface labels to appliances it manages.
M
L
Use the Interface Labels dialog box to manage labels in Orchestrator, available under Configuration > Overlays & Security > Interface Labels.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
From this dialog box, you can create, edit, or delete labels.
C
L
. Click New Label. The Interface Label Configuration dialog box opens.
. Select wan or lan for the label type. . Enter a descriptive name in the Label Name field.
NOTE: For WAN labels, if you want to allow Orchestrator to build tunnels using this label in any topology, leave the Topology selection set to any. If you want to override BIO settings and exclude this label in Full Mesh overlays, set Topology to Hub & Spoke. . Click Done to save your changes and close the dialog box. Otherwise, click Close to cancel and return to the list of interface labels.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
EL
. In the Interface Labels dialog box, click the edit icon to the right of an existing label.
. Select wan or lan for the label type--you cannot change the label type if the label is currently in use.
. If you want to change the label name, modify it in the Label Name field.
NOTE: For WAN labels, if you want to allow Orchestrator to build tunnels using this label in any topology, leave the Topology selection set to any. If you want to override BIO settings and exclude this label in Full Mesh overlays, set Topology to Hub & Spoke.
. Click Done to save your changes and close the dialog box. Otherwise, click Close to cancel and return to the list of interface labels.
D
L
. In the Interface Labels dialog box, click the X icon to the le of a label you want to delete.
NOTE: Labels used in overlays cannot be deleted.
The label is deleted from the list but can be restored by closing the dialog box without saving.
. To save your changes and permanently delete the label, click Save.
WARNING: When deleting a label, a confirmation message warns you that deleted interface labels will be removed from all policies, interfaces, and deployment profiles that are currently using the label.
. Click Save to confirm the removal. Otherwise, click Cancel to return to the Interface Labels dialog box.
Hubs
Configuration > Overlays & Security > Hubs
On this tab, you can add, remove, and associate hubs to a specified region within the Regional Mesh or Regional Hub-and-Spoke topologies configured on the Business Intent Overlay tab. You can specify whether a hub will re-advertise routes that were previously received from a spoke in the hub's region or a hub in another region. NOTE: This feature requires appliance so ware version . . or later. You can also access the Regions tab and Business Intent Overlay tabs by clicking the links at the top of the page. Complete the following steps to add a hub:
. Start typing a name or select the appliance you want make a hub from the list. . Select one of the following:
· Re-Advertise Routes This hub will re-advertise its routes so that other appliances can learn them. This hub will also re-advertise routes learned from other EdgeConnect appliances within its region.
· Do Not Re-Advertise Routes (Stub Hub) This hub will not re-advertise routes learned from other regions or spokes. All local routes (static, directly connected, BGP, and OSPF) will still be advertised. Hubs that do not re-advertise their routes are stub hubs.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
. Click Add Hub. To delete a hub, select the X icon next to the hub you want to delete. NOTE: You must remove all overlays before you can revert a hub back to a spoke.
Deployment Profiles
Configuration > Overlays & Security > Deployment Profiles
Instead of configuring each appliance separately, you can create various Deployment Profiles and provision a device by applying the profile you want. For example, you can create a standard format for your branch.
TIP: For a smoother workflow, complete the DHCP Server Defaults tab (Configuration > Networking > DHCP Server Defaults) before creating Deployment Profiles.
You can use Deployment Profiles to simplify provisioning, regardless of whether you choose to create and use Business Intent Overlays.
NOTE: You cannot edit IP/Mask fields because they are appliance-specific.
ML
I
· On the LAN side, labels are optional. They can be used as match criteria for Business Intent Overlay ACLs, such as data, VoIP, or replication.
· On the WAN side, labels identify the link type, such as MPLS or Internet. These labels are mandatory. They are used by Orchestrator to build Business Intent Overlay policies.
· To create or manage a global pool of labels, either:
Navigate to Configuration > Overlays & Security > Deployment Profiles, click the Edit icon next to Label, and make the appropriate changes, or
Navigate to Configuration > Overlays & Security > Interface Labels) and make the appropriate changes.
· The change you make to a label propagates automatically. For example, it renames tunnels that use that labeled interface.
LAN- C
:S
F
Z
EdgeConnect Segmentation (VRF) provides orchestrated layer- segmentation, Zone Based Firewall, and IDS--end-to-end across the SD-WAN fabric. Segment and zone policies are global in scope. They are managed on the Configuration > Networking > Routing > Routing Segmentation (VRF) tab.
Segments and zones are then assigned to LAN-side interfaces for each appliance by using the Deployment dialog box. By default, the Segment and FW Zone fields on LAN interfaces are set to the system-generated Default segment. You can select a di erent segment and firewall zone from the drop-down lists. These lists reflect the segments and zones that are set up on the Routing Segmentation (VRF) tab.
NOTE: The segment for WAN interfaces cannot be changed.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
LAN C
: DHCP
· By default, each LAN IP acts as a DHCP Server when the appliance is in (the default) Router mode.
· The global defaults are set in Configuration > Networking > DHCP Server Defaults and prepopulate this page. The other choices are No DHCP and having the appliance act as a DHCP/BOOTP Relay.
· Enter the LAN interface from the drop-down. Click +IP to add a specific IP address.
· Enter the IP address of the specific LAN interface above the NO DHCP link.
· To customize an individual interface on the Deployment Profiles tab, click the DHCP-related link under the IP/Mask field. The DHCP Settings dialog box opens.
The following tables describe the various DHCP settings you can configure.
DHCP Server
Field Subnet Mask Exclude first N addresses Exclude last N addresses Default lease, Maximum lease Default gateway DNS server(s) NTP server(s) NetBIOS name server(s) NetBIOS node type
DHCP failover
Description
Mask that specifies the default number of IP addresses reserved for any subnet. For example, entering reserves IP addresses. Specifies how many IP addresses are not available at the beginning of the subnet's range. Specifies how many IP addresses are not available at the end of the subnet's range. Specify, in hours, how long an interface can keep a DHCPassigned IP address. Indicates whether the default gateway is being used. Specifies the associated Domain Name System servers. Specifies the associated Network Time Protocol servers. Used for Windows (SMB) type sharing and messaging. It resolves the names when you are mapping a drive or connecting to a printer. NetBIOS node type of a networked computer relates to how it resolves NetBIOS names to IP addresses. There are four node types:
B-node x Broadcast
P-node x Peer (WINS only)
M-node x Mixed (broadcast, then WINS)
H-node x Hybrid (WINS, then broadcast) Enables DHCP failover. To set it up, click the Failover Settings link.
DHCP/BOOTP Relay
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Destination DHCP/BOOTP Server Enable Option
Option Policy
Description
IP address of the DHCP server assigning the IP addresses. This setting applies to the local interface only. When selected, inserts additional information into the packet header to identify the client's point of attachment. This setting applies to all LAN-side interfaces on this appliance.
IMPORTANT: Changing this setting will modify Option settings on all LAN-side interfaces that are enabled as DHCP Relay. Tells the relay what to do with the hex string it receives. The choices are append, replace, forward, and discard. This setting applies to all LAN-side interfaces on this appliance.
IMPORTANT: Changing this setting will modify Option settings on all LAN-side interfaces that are enabled as DHCP Relay.
WAN C
Select the WAN-side label you want to apply to this deployment. Click the edit icon to add a new interface or delete a previously configured interface.
Firewall Zone: Zone-based firewall policies are configured globally on the Orchestrator. A zone is applied to an Interface. By default, tra ic is allowed between interfaces labeled with the same zone. Any tra ic between interfaces with di erent zones is dropped. You can create exception rules (Security Policies) to allow tra ic between interfaces with di erent zones. The firewall zones you have already configured will be in the list under FW Zone. Select the Firewall Zone you want to apply to the WAN you are deploying.
Firewall Mode: Four options are available at each WAN interface:
· Allow All permits unrestricted communication. Use this option with extreme caution and only if the interface is behind a WAN edge firewall.
· Stateful __*only__* allows communication from the LAN-side to the WAN-side.
Use this if the interface is behind a WAN edge router.
· Stateful with SNAT applies Source NAT to outgoing tra ic.
Use this if the interface is directly connected to the Internet and you want to enable local internet breakout.
· Harden
For tra ic inbound from the WAN, the appliance accepts __*only__* IPSec tunnel packets that terminate on an EdgeConnect appliance.
For tra ic outbound to the WAN, the appliance __*only__* allows IPSec tunnel packets and management tra ic that terminate on an EdgeConnect appliance.
NAT Settings: To change the NAT setting, click the NAT-related link under the Next Hop field on the WAN side. The NAT Settings dialog box opens.
Select one of the following options:
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· If the appliance is behind a NAT-ed interface, select NAT. · If the appliance is not behind a NAT-ed interface, select Not behind NAT. · Enter an IP address to assign a destination IP for tunnels being built from the network to this
WAN interface.
Shaping: You can limit bandwidth selectively on each WAN interface.
· Total Outbound bandwidth is licensed by model. It is the same as max system bandwidth. · To enter values for shaping inbound tra ic (recommended), you must first select Shape Inbound
Tra ic.
EdgeConnect Licensing: Only visible on EdgeConnect appliances.
· For additional bandwidth, you can purchase Plus, and then select it here for this profile. · If you have purchased a pool of Boost for your network, you can allocate a portion of it in a
Deployment Profile. You can also direct allocations to specific types of tra ic in the Business Intent Overlays. · To view how you have distributed Plus and Boost, navigate to the Configuration > Overlays & Security > Licensing > Licenses tab. · Select the appropriate licensing you have applied to your EdgeConnect appliance from the menu. The licenses will only display depending on the licenses you have for that particular account. You can select the following licensing options:
Mini Base Base + Plus Mbps Mbps Mbps Gbps Gbps Unlimited
NOTE: You must have the correct hardware to support the license selected.
BONDING
· EdgeConnect supports etherchannel bonding of multiple physical interfaces of the same media type into a single virtual interface. For example, wan plus wan bond to form bwan . This increases throughput on a very high-end appliance and/or provides interface-level redundancy.
· For bonding on a virtual appliance, you would need to configure the host instead of the appliance. For example, on a VMware ESXi host, you would configure NIC teaming to get the equivalent of etherchannel bonding.
· Whether you use a physical or a virtual appliance, etherchannel must also be configured on the directly connected switch/router. Refer to Aruba SD-WAN user documentation.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
AM C
G
BD
This section discusses the basics of three deployment modes: Bridge, Router, and Server modes.
It describes common scenarios, considerations when selecting a deployment, redirection concerns, and some adaptations.
For detailed deployment examples, refer to the Aruba EdgeConnect SD-WAN Edge Platform documentation site for various deployment guides.
In Bridge Mode and in Router Mode, you can provide security on any WAN-side interface by hardening the interface. This means:
· For tra ic inbound from the WAN, the appliance accepts __*only__* IPSec tunnel packets.
· For tra ic outbound to the WAN, the appliance __*only__* allows IPSec tunnel packets and management tra ic.
B
M
Single WAN-side Router In this deployment, the appliance is in-line between a single WAN router and a single LAN-side switch.
Dual WAN-side Routers This is the most common -port bridge configuration.
· WAN egress routers / or subnets / appliance · separate service providers or WAN services (MPLS, IPSec VPN, MetroEthernet, and so forth) Considerations for Bridge Mode Deployments · Do you have a physical appliance or a virtual appliance?
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· A virtual appliance has no fail-to-wire, so you will need a redundant network path to maintain connectivity if the appliance fails.
· If your LAN destination is behind a router or L switch, you need to add a LAN-side route (a LAN next hop).
· If the appliance is on a VLAN trunk, you need to configure VLANs on the EdgeConnect appliance so that the appliance can tag tra ic with the appropriate VLAN tag.
R
M
There are four options to consider:
. Single LAN interface & single WAN interface . Dual LAN interfaces & dual WAN interfaces . Single WAN interface sharing LAN and WAN tra ic . Dual WAN interfaces sharing LAN and WAN tra ic
__*For best performance, visibility, and control, Options # and # are recommended because they use separate LAN and WAN interfaces.__* And when using NAT, use Options # or # to ensure that addressing works properly.
# - Single LAN Interface & Single WAN Interface
For this deployment, you have two options:
. You can put EdgeConnect __*in-path__*. In this case, if there is a failure, you need other redundant paths for high availability.
. You can put EdgeConnect __*out-of-path__*. You can redirect LAN-side tra ic and WAN-side tra ic from a router or L switch to the corresponding interface using WCCP or PBR (Policy-Based Routing).
To use this deployment with a single router that has only one interface, you could use multiple VLANs.
# - Dual LAN Interfaces & Dual WAN Interfaces
This deployment redirects tra ic from two LAN interfaces to two WAN interfaces on a single EdgeConnect appliance.
· WAN next-hops / subnets / appliance
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· separate service providers or WAN services (MPLS, IPSec VPN, MetroEthernet, and so forth) Out-of-path dual LAN and dual WAN interfaces
For this deployment, you have two options: . You can put EdgeConnect __*in-path__*. In this case, if there is a failure, you need other redundant paths for high availability. . You can put EdgeConnect __*out-of-path__*. You can redirect LAN-side tra ic and WAN-side tra ic from a router or L switch to the corresponding interface using WCCP or PBR (Policy-Based Routing).
# - Single WAN Interface Sharing LAN and WAN tra ic
This deployment redirects tra ic from a single router (or L switch) to a single subnet on the EdgeConnect appliance.
· This mode only supports __*out-of-path__*. · When using two EdgeConnects at the same site, this is also the most common deployment for
high availability (redundancy) and load balancing. · For better performance, control, and visibility, Router mode Option # is recommended instead
of this option. # - Dual WAN Interfaces Sharing LAN and WAN tra ic
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
This deployment redirects tra ic from two routers to two interfaces on a single EdgeConnect appliance. This is also known as Dual-Homed Router Mode.
· WAN next-hops / subnets / appliance. · separate service providers or WAN services (MPLS, IPSec VPN, MetroEthernet, and so forth). · This mode only supports __*out-of-path__*. · For better performance, control, and visibility, Router mode Option # is recommended instead
of this option.
Considerations for Router Mode Deployments
· Do you want your tra ic to be in-path or out-of-path? This mode supports both deployments. In-path deployment o ers much simpler configuration.
· Does your router support VRRP, WCCP, or PBR? If so, you might want to consider out-of-path Router mode deployment. You can set up more complex configurations, which o er load balancing and high availability.
· Are you planning to use host routes on the server/end station? · In the rare case when you need to send inbound WAN tra ic to a router other than the WAN next
hop router, use LAN-side routes.
Examine the Need for Tra ic Redirection Whenever you place an appliance out-of-path, you must redirect tra ic from the client to the appliance. There are three methods for __*redirecting outbound packets from the client to the appliance__* (known as LAN-side redirection, or outbound redirection):
· PBR (Policy-Based Routing) Configured on the router. No other special configuration required on the appliance. This is also known as FBR (Filter-Based Forwarding). If you want to deploy two EdgeConnects at the site for redundancy or load balancing, you also need to use VRRP (Virtual Router Redundancy Protocol).
· WCCP (Web Cache Communication Protocol) Configured on both the router and the EdgeConnect appliance. You can also use WCCP for redundancy and load balancing.
· Host routing The server/end station has a default or subnet-based static route that points to the EdgeConnect appliance as its next hop. Host routing is the preferred method when a virtual appliance is using a single interface, mgmt , for datapath tra ic (also known as Server Mode). To ensure end-to-end connectivity in case of appliance failure, consider using VRRP between the appliance and a router, or the appliance and another redundant EdgeConnect.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
How you plan to optimize tra ic also a ects whether you also need __*inbound redirection from the WAN router__* (known as WAN-side redirection):
· If you use subnet sharing (which relies on advertising local subnets between EdgeConnect appliances) or route policies (which specify destination IP addresses), you only need LAN-side redirection.
· If, instead, you rely on TCP-based or IP-based auto-optimization (which relies on initial handshaking __*outside__* a tunnel), you must also set up inbound and outbound redirection on the WAN router.
· For TCP flows to be optimized, both directions must travel through the same client and server appliances. If the TCP flows are asymmetric, you need to configure flow redirection among local appliances.
A tunnel must exist before auto-optimization can proceed. There are three options for tunnel creation:
· If you enable auto-tunnel, the initial TCP-based or IP-based handshaking creates the tunnel. This means that the appropriate LAN-side and WAN-side redirection must be in place.
· You can allow the Initial Configuration Wizard to create the tunnel to the remote appliance.
· You can create a tunnel manually on the Configuration > Networking > Tunnels > Tunnels page.
S
M
This mode uses the mgmt interface for management and datapath tra ic.
ADD DATA INTERFACES · You can create additional data-plane Layer interfaces to use as tunnel endpoints. · To add a new logical interface, click +IP.
Deployment - EdgeConnect HA
The EdgeConnect High Availability (HA) mode is a high availability cluster configuration that provides appliance redundancy by pairing two EdgeConnect devices together. When a deployment profile configures two EdgeConnect appliances in EdgeConnect HA mode, the resilient cluster acts as a single logical system. It extends the robust SD-WAN multipathing capabilities such as Business Intent Overlays seamlessly across the two devices as if they were one entity.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
With EdgeConnect HA mode, a WAN uplink is physically plugged into a single one of the EdgeConnect appliances but is available to both in the cluster. For WAN connections that perform NAT (for example, a consumer-grade Broadband Internet connection), it means that only a single Public IP needs to be provisioned in order for both EdgeConnect devices in the EdgeConnect HA cluster to be able to build Business Intent Overlays using that transport resource.
E
EC
HA M
. In the appliance tree, select the appliance, and then right-click to select Deployment from the contextual menu. The appliance's Deployment page appears.
. Select the EdgeConnect HA check box.
. Configure the interfaces (LAN and WANside) on both EdgeConnect devices to reflect the WAN connections that are plugged into each one of the respective appliances.
NOTE: Both EdgeConnect devices will be able to leverage all WAN connections regardless of which chassis they are physically plugged into. It is, however, important to match the deployment profile interface configuration to the actual chassis the WAN connection is physically, directly connected to.
. Select the physical ports on the respective EdgeConnect appliances that you will connect to each other using an Ethernet cable (RJ- twisted pair or SR optical fiber).
NOTE: You can choose any LAN or WAN port combination for this HA Link that is available on the respective EdgeConnect chassis. You must match the media type and speed for both ends of the HA link. (For example, Gigabit-Ethernet RJ- to RJ- or Gigabit-Ethernet multimode fiber LC-connector-to-LC-connector). Also, note that you cannot use MGMT ports for the HA Link; only LAN or WAN ports.
IPS
UDP T
C
For both EdgeConnect appliances in a high availability cluster to be able to share a common transport connection, you must set the tunnel type to IPSec over UDP mode.
See Tunnel Settings in the Orchestrator (Orchestrator > Orchestrator Server > Tools > Tunnel Settings).
NOTE: If you are deploying a network with EdgeConnect appliances running VXOA . . or higher and Orchestrator . or higher, the tunnel type is already set to IPSec over UDP mode by default.
VRRP C
Typically, in a branch site deployment, you will choose to configure the cluster with a VRRP protocol and assign a VIP (virtual IP) address to the cluster.
· Set the VRRP priority of the preferred LAN-side Primary EdgeConnect to . · Set the other, Secondary appliance's VRRP priority to .
LAN- M
The IP SLA feature should be configured to monitor the LAN-side VRRP state in order to automatically disable subnet sharing from that appliance in the case of a LAN link failure. For more information, refer to the IP SLA configuration guide.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Firewall Zones
Configuration > Overlays & Security > Security > Firewall Zones Zone-based firewalls are created on the Orchestrator.
· A zone is applied to an Interface. · By default, tra ic is allowed between interfaces labeled with the same zone. · Any tra ic between interfaces with di erent zones is dropped. · Users can create exception rules (Security Policies) to allow or deny tra ic between interfaces
within the same or di erent zones.
NOTE: "Default" will always be the initial default zone. You cannot have another zone named "Default". NOTE: The name of your firewall cannot exceed characters and cannot contain any special characters. It can contain alphanumeric characters and underscores only.
Internet Tra ic
Configuration > Overlays & Security > Internet Tra ic Definition Internet tra ic is any tra ic that __*does NOT match__* the internal subnets listed in this dialog box.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
IPSec Pre-Shared Key Rotation
Configuration > Overlays & Security > Security > IPSec Key Rotation Use this dialog box to schedule the rotation of auto-generated IPSec pre-shared keys.
F
H
O
R
Orchestrator distributes key material to all EdgeConnect appliances in the network. Immediately before the end of a key rotation interval, Orchestrator activates new ephemeral key material for all of the EdgeConnect appliances in the SD-WAN network. For key activation, all the appliances should be reachable to Orchestrator. However, there are two cases of unreachability:
. Inactive appliances: When appliances are inactive, they exist in the Orchestrator, but do not have tunnels configured to any active appliances.
. Temporary unreachability: Temporary unreachability issues occur in cases where an EdgeConnect appliance reboots or if there is a link or communication failure. In this case, Orchestrator will not activate the new key material until all active appliances are reachable and have received the new key material or if the maximum activation wait time has been exceeded. If the appliance is unreachable for a period longer than the key rotation interval, it will be treated as an inactive appliance.
Re-authorization: Inactive appliances that become active at a later point in time will be authorized to receive the current key material. Only then will they be able to download configurations and build tunnels.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
S
IPS K R
DB
The Schedule IPSec Key Rotation dialog box enables you to schedule your key rotation. The following tables provide details about the two sections in this dialog box.
SD-WAN IPSec UDP Key Material Rotation Section
Field Enable Key Rotation Persist Key Material
Max Activation Wait
Rotation Period Key Material Lifetime
Description
Select this check box to enable key rotation.
If enabled, key material is stored on each appliance, ensuring data plane tunnels are built quickly a er an appliance reboot (no dependency on Orchestrator). If disabled, new key material from Orchestrator is required a er any reboot (Orchestrator reachability is critical). Maximum time (in hours) Orchestrator must wait before activating the new key material. This wait time applies only when unreachable appliances exist in the network and at least one tunnel is UP from a reachable appliance to an unreachable appliance. This gives you time to fix connectivity issues. A er the wait time expires, Orchestrator activates the new key material on all reachable appliances. Generally, it is recommended to set this wait time to half of the rotation period. Click the edit icon to set the rotation and the time you want the key material rotation to begin. Click Force Rotate to immediately start a new key material rotation. Amount of time a key material lasts.
CAUTION: The lifetime must be at least three times the amount of the set Rotation Period.
SD-WAN IPSec Pre-shared Key Rotation Section
Field
Enable Period
Description
Select this check box to enable. Click the edit icon to set the time when you want the key rotation to begin.
Intrusion Detection System (IDS)
Configuration > Overlays & Security > Security > Intrusion Detection System (IDS)
The Intrusion Detection System (IDS) can monitor tra ic for potential threats and malicious activity and generates threat events based on preconfigured rules. Packets are copied and inspected against signatures downloaded to Orchestrator from Cloud Portal. Orchestrator sends appliances the signature file and any rules that have been added to the allow list. Tra ic is designated for inspection using matching rules enabled in the zone-based firewall.
Use the Intrusion Detection System tab to view status or modify the IDS configuration for appliances selected in the appliance tree. The following information is displayed for selected appliances:
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Appliance Status Events
Stats
Description
Name of the appliance.
Indicates whether or not IDS is enabled on the selected appliance.
Click Show Last appliance.
Events to see the
most recent IDS events on the selected
Click Show Stats to see the following IDS statistics for the selected appliance: Decoder Packets, Kernel Drops, Alerts Detected, and Decoder Bytes.
P
Note the following requirements about using IDS:
· IDS can be enabled only on appliances with a minimum of four cores and GB of RAM.
· IDS can be enabled only on appliances running ECOS . . . or later, and appliances running an earlier version of ECOS will not be displayed on the Intrusion Detection System tab.
· IDS is a licensed feature and can be enabled only on appliances that have been assigned the Advanced Security license (see help text on the Configuration > Overlays & Security > Licensing > Licenses tab).
NOTE: IDS alarms are logged in standard syslog format. You can configure a logging facility for IDS and remote log receiver to send logs to a third party for additional review and analytics (see Advanced Reporting and Analytics below).
E
D
IDS A
Click Enable IDS on Appliances to add (enable) or remove (disable) IDS on all appliances displayed in the table.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
. Select the Add check box to enable IDS on the appliances or select the Remove check box to disable IDS on the appliances.
The proposed change in state, if any, is displayed for each appliance in the IDS State column.
. Click Save to apply your changes or click Cancel to close the dialog box without making any changes.
E
D
R
IDS A L
By default, all rules included in the IDS signature list are enabled on all appliances where IDS is enabled. For certain tra ic or in some specific cases, however, you might want to disable logging and alarms for a rule by adding it to the IDS allow list.
. To manage which IDS rules are enabled and disabled, click IDS Allow List. The Allow IDS Rules dialog box opens.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
. Use the search field at the top of the table to filter the list of rules. You can click Show Allowed Rules or Show All Rules to display only disabled rules or all rules, respectively. NOTE: If you disable or enable any rules, and then toggle the display between allowed and all rules without saving, your changes will be undone.
. Use the check box in the Allow column to disable or enable rules:
· To disable a rule and add it to the allow list, select the check box. · To enable a rule and remove it from the allow list, clear the check box.
. Click Save to apply your changes or click Cancel to close the dialog box without making any changes.
S
T
BI
You can specify the tra ic to be inspected according to source and destination zone, as well as specify detailed match criteria, using Firewall Zone Security Policies.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
With the addition of IDS, firewall actions have the following meanings:
· allow: Allow tra ic and do not inspect · deny: Deny tra ic and do not inspect · inspect: Allow tra ic and inspect
NOTE: No tra ic will be inspected until rules with the inspect action are specified in the security policy. For more information, see the following tabs in Orchestrator:
· Templates (Security Policies): Configuration > Templates & Policies > Templates · Routing Segmentation: Configuration > Networking > Routing > Routing Segmentation (VRF)
A
R
A
For users who are using or trying Splunk, you can install the Aruba EdgeConnect application to enable advanced reporting and analytics using the IDS alarms forwarded from EdgeConnect appliances. Search Splunkbase for "EdgeConnect" or click this link to search in your browser.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Follow the instructions provided to install and configure the application.
SSL Certificates Tab
Configuration > Overlays & Security > SSL > SSL Certificates EdgeConnect provides deduplication for Secure Socket Layer (SSL) encrypted WAN tra ic by supporting the use of SSL certificates and other keys.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
This report summarizes the SSL certificates installed on appliances for decrypting non-SaaS tra ic.
· EdgeConnect decrypts SSL data using the configured certificates and keys, optimizes the data, and transmits data over an IPSec tunnel. The peer EdgeConnect appliance uses configured SSL certificates to re-encrypt data before transmitting.
· Peers that exchange and optimize SSL tra ic must use the same certificate and key. · For the SSL certificates to function, the following must also be true:
The tunnels are in IPSec or IPSec UDP mode for both directions of tra ic. In the Optimization Policy, TCP acceleration and SSL acceleration are enabled.
TIP: For a historical matrix of EdgeConnect and Orchestrator security algorithms, click here.
SSL Certificates Edit Row
Use this page for SSL Certificates when the server is part of your enterprise network and has its own enterprise SSL certificates and key pairs. NOTE: For SSL decryption of SaaS services, use the Configuration > Overlays & Security > SSL > SSL for SaaS page. Because SaaS servers are external to your enterprise network, the appliance creates a substitute certificate, which then must be signed by a Certificate Authority (CA). EdgeConnect provides deduplication for Secure Socket Layer (SSL) encrypted WAN tra ic by supporting the use of SSL certificates and keys:
· EdgeConnect decrypts SSL data using the configured certficates and keys, optimizes the data, and transmits data over an IPSec tunnel. The peer EdgeConnect appliance uses configured SSL certificates to re-encrypt data before transmitting.
· Peers that exchange and optimize SSL tra ic must use the same certificate and key. · Use this page to directly load the certificate and key into this appliance.
You can add either a PFX certificate (generally, for Microso servers) or a PEM certificate. The default is PEM when PFX Certificate File is deselected. If the key file has an encrypted key, enter the passphrase needed to decrypt it.
· Before installing the certificates, you must do the following:
Configure the tunnels bilaterally for IPSec mode. To do so, access the Configuration > Networking > Tunnels > Tunnels page, select the tunnel, and for Mode, select IPSec.
Verify that TCP acceleration and SSL acceleration are enabled. To do so, access the Configuration > Templates & Policies > Optimization Policies page, and then review the Set Actions.
TIP: For a historical matrix of EdgeConnect and Orchestrator security algorithms, click here.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
SSL CA Certificates Tab
Configuration > Overlays & Security > SSL > SSL CA Certificates This tab lists any installed Certificate Authorities (CA) that the browser uses to validate up the chain to the root CA.
If the enterprise certificate that you used for signing substitute certificates is subordinate to higher level Certificate Authorities (CA), you must add those CA certificates. If the browser cannot validate up the chain to the root CA, it will warn you that it cannot trust the certificate. TIP: For a historical matrix of EdgeConnect and Orchestrator security algorithms, click here.
SSL CA Certificates Edit Row
If the enterprise CA certificate you use for signing substitute certificates is subordinate to higher level Certificate Authorities (CA), you must add those CA certificates here. Those same CA certificates must also be present in the browser. If the browser cannot validate up the chain to the root CA, it will warn you that it cannot trust the certificate.
· Use this page to directly load the CA certificate into the appliance. You can add either a PFX certificate (generally, for Microso servers) or a PEM certificate.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
The default is PEM when PFX Certificate File is deselected.
· EdgeConnect supports:
X Privacy Enhanced Mail (PEM), Personal Information Exchange (PFX), and RSA key -bit and -bit certificate formats.
SAN (Subject Alternative Name) certificates. SAN certificates enable sharing of a single certificate across multiple servers and services.
TIP: For a historical matrix of EdgeConnect and Orchestrator security algorithms, click here.
SSL for SaaS Tab
Configuration > Overlays & Security > SSL > SSL for SaaS This report lists the signed substitute certificates for the appliances.
To fully compress SSL tra ic for a SaaS service, the appliance must decrypt it and then re-encrypt it. To do so, the appliance generates a substitute certificate that must then be signed by a Certificate Authority (CA). There are two possible signers: For a Built-In CA Certificate, the signing authority is Silver Peak.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· The appliance generates it locally, and each certificate is unique. This is an ideal option for Proof of Concept (POC) and when compliance is not a big concern.
· To avoid browser warnings, follow up by importing the certificate into the browser from the client-side appliance.
For a Custom CA Certificate, the signing authority is the Enterprise CA.
· If you already have a subordinate CA certificate (for example, an SSL proxy), you can upload it to Orchestrator and push it out to the appliances. If you need a copy of it later, just download it from here.
· If this substitute certificate is subordinate to a root CA certificate, also install the higher-level SSL CA certificates (into the SSL CA Certificates template) so that the browser can validate up the chain to the root CA.
· If you do not already have a subordinate CA certificate, you can access any appliance's Configuration > Templates & Policies > Applications & SaaS > SaaS Optimization page and generate a Certificate Signing Request (CSR).
TIP: For a historical matrix of EdgeConnect and Orchestrator security algorithms, click here.
SSL for SaaS Edit Row
To fully compress SSL tra ic for a SaaS service, the appliance must decrypt it and then re-encrypt it.
To do so, the appliance generates a substitute certificate that then must be signed by a Certificate Authority (CA). There are two possible signers:
· For a Built-In CA Certificate, the signing authority is Silver Peak.
The appliance generates it locally, and each certificate is unique. This is an ideal option for Proof of Concept (POC) and when compliance is not a big concern.
To avoid browser warnings, follow up by importing the certificate into the browser from the client-side appliance.
· For a Custom CA Certificate, the signing authority is the Enterprise CA.
If you already have a subordinate CA certificate (for example, an SSL proxy), you can upload it to the Orchestrator and push it out to the appliances. If you need a copy of it later, just download it from here.
If this substitute certificate is subordinate to a root CA certificate, also install the higher-level SSL CA certificates (via Configuration > Overlays & Security > SSL > SSL CA Certificates) so that the browser can validate up the chain to the root CA.
If you do not already have a subordinate CA certificate, you can access any appliance's Configuration > Templates & Policies > Applications & SaaS > SaaS Optimization page and generate a Certificate Signing Request (CSR). The workflow would basically follow this pattern:
. Click Generate Certificate Signing Request and complete the Certificate Information requested in the dialog box.
. Save the CSR and the Private Key.
. Submit the CSR to your enterprise CA to obtain a Subordinate CA Certificate.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
. A er approvals are complete and the subordinate CA is in hand, navigate to the Configuration > Templates & Policies > Applications & SaaS > SaaS Optimization page.
. Under Custom CA Certificate, click Upload and Replace to import the subordinate CA.
Discovered Appliances
Configuration > Overlays & Security > Discovery > Discovered Appliances This tab lists each appliance that Orchestrator discovers.
· To enable Orchestrator to manage an appliance a er you verify its credentials, click Approve. · If the appliance does not belong in your network, click Deny. If you want to include it later, click
Show Denied Devices, locate it in the table, and click Approve.
· As a security measure to prevent unauthorized management of your network, any Orchestrator with your Account Name and Account Key must be approved by the originally deployed Orchestrator. To view the approved Orchestrators, click Show Approved Orchestrators.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Preconfigure Appliances
Configuration > Overlays & Security > Discovery > Preconfiguration Use this page to prepopulate flat data files that are matched with appliances as you add them to your network.
The information in the files is a combination of items found in the Appliance Configuration Wizard, along with site-specific information such as BGP, OSPF, IP SLA rules, VRRP, interfaces, and addressing. You can create a new file or clone (and rename) an existing one. Make any changes with the built-in editor. A er the appliance is discovered and approved, so ware upgrade and configuration push are done automatically. New or Clone
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Name Comment Auto Approve when Discovered
Serial Appliance Tag
Description
Assigns a name to the preconfiguration file. Optional descriptive field. When selected, Orchestrator finds the appliance that matches the Discovery Criteria and automatically loads it without needing user intervention.
When deselected, the user will be prompted to manually approve the association of the preconfiguration file to the appliance. Serial number associated with the appliance that is to receive this configuration. Free-form text or unique identifier that an administrator can associate with the appliance. Available as a discovery criteria for EC-Vs.
Appliance Configuration Wizard
Configuration > Overlays & Security > Discovery > Configuration Wizard Use this wizard to set up a newly added appliance or to reconfigure an appliance that is already in your network.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
NOTE: Orchestrator assumes you will be pushing many of the same configuration items to each appliance. To that end, it surveys the templates and Overlay prerequisite items and displays the Recommended Configuration list, showing what comprehensive items you have and have not yet configured.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
EC-Enterprise Licenses
Configuration > Overlays & Security > Licensing > Licenses
· This page lists the appliance model, serial number, hostname, feature licenses, and license terms for the appliances selected in the appliance tree.
· You can add, edit, or revoke EdgeConnect (EC) licenses from an appliance. · A license summary including the number of used licenses and total number of available licenses
is displayed above the table. The expiration date of the Boost license and each feature license is also listed.
NOTE: EdgeConnect stops passing tra ic when a license expires.
A
L
A
. In the appliance tree, select one or more appliances to display in the table. . Do one of the following:
· To assign licenses to one appliance, click the Edit icon next to that appliance.
· To assign licenses in bulk (to all appliances in the table), click Assign Licenses to Appliances.
NOTE: To assign licenses in bulk, all appliances must be on the same so ware version.
The Assign Licenses to Appliances dialog box opens. . Complete the following elements as needed:
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field EC
Boost Feature licenses
Description
Select the Add/Replace check box, and then select the EC size from the list: Mini, Base, Base + Plus, Mbps, Mbps, Mbps, Gbps, Gbps, or Unlimited. Select the Add/Replace check box, and then enter the amount of Boost to apply to the EC. . To add a feature license, select the Add/Replace check box.
. If required, select a license option from the list and specify a quantity, such as amount of bandwidth.
. To revoke a license or Boost, select the Revoke check box next to the license or Boost you want to revoke.
NOTE: If you revoke an EC license from an appliance, Silver Peak will revoke the Boost license and all feature licenses from that appliance.
NOTE: You must revoke the license from an appliance before you can RMA it. For more information on how to RMA an appliance, see RMA Wizard.
. Click Apply.
EC-Metered Licenses
Configuration > Overlays & Security > Licensing > Licenses To filter the list, click one of the following buttons:
Button EC-Metered License
Bandwidth Usage Report Feature License Usage Report
Description
Display the EC-metered licenses for all appliances selected in the appliance tree. To filter the list, click one of the following buttons:
All Display all appliances.
Boost Display appliances with Boost licenses granted.
Feature license Display appliances with this feature license granted. Display the bandwidth usage report for all appliances selected in the appliance tree. To aggregate the usage report, click Summary, Appliance, or Daily, and then select a month and year. Display the feature license usage report for all appliances selected in the appliance tree. To aggregate the usage report, click Summary, Appliance, or Daily, and then select a month and year.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· This page lists the appliance model, serial number, hostname, and feature licenses for the appliances selected in the appliance tree.
· You can add, edit, or revoke EdgeConnect (EC) licenses from an appliance.
NOTE: EdgeConnect stops passing tra ic when a license expires.
A
L
A
. In the appliance tree, select one or more appliances to display in the table. . Do one of the following:
· To assign licenses to one appliance, click the Edit icon next to that appliance.
· To assign licenses in bulk (to all appliances in the table), click Assign Licenses to Appliances.
NOTE: To assign licenses in bulk, all appliances must be on the same so ware version.
The Assign Licenses to Appliances dialog box opens. . Complete the following elements as needed:
Field EC Boost
Feature licenses
Description
Select the Add/Replace check box to apply the EC-metered license. Select the Add/Replace check box, and then enter the amount of Boost to apply to the EC. . To add a feature license, select the Add/Replace check box.
. If required, select a license option from the list and specify a quantity, such as amount of bandwidth.
. To revoke a license or Boost, select the Revoke check box next to the license or Boost you want to revoke.
NOTE: If you revoke an EC license from an appliance, Silver Peak will revoke the Boost license and all feature licenses from that appliance.
NOTE: You must revoke the license from an appliance before you can RMA it. For more information on how to RMA an appliance, see RMA Wizard.
. Click Apply.
B
UR
This page lists the maximum outbound bandwidth usage, maximum inbound bandwidth usage, and Boost bandwidth for the account.
To aggregate the usage report, click Summary, Appliance, or Daily, and then select a month and year.
F
L
UR
This page lists the feature license usage report for the account.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
To aggregate the usage report, click Summary, Appliance, or Daily, and then select a month and year.
Cloud Portal
Configuration > Overlays & Security > Licensing > Cloud Portal Orchestrator > Orchestrator Server > Licensing > Cloud Portal The Cloud Portal is used to register cloud-based features and services, such as SaaS optimization and EdgeConnect.
· When you purchase one of these services, an Account Name and instructions to obtain your Account Key are sent to you. You will use these to register your appliances.
· The cloud portal populates the Contact field from information included in your purchase order. · Use of these services requires that your appliances can access the cloud portal via the Internet.
Configuration > Networking
The options under Configuration > Networking focus on configuring components of your network, such as deployments, interfaces, loopback, virtual tunnel interfaces (VTIs), and DHCP. Other options are related to configuring routes and tunnels.
Deployment Tab
Configuration > Networking > Deployment This tab provides summary and detailed views of the selected appliance's deployment settings.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
To change an appliance's deployment settings, click the Edit icon next to the name of the desired appliance.
The following table describes the fields on the Summary view of this tab.
Field Appliance Name HA Mode
Outbound Bandwidth Inbound Bandwidth WAN Labels Used LAN Labels Used Segment Details
Description
Name of the deployed appliance. Name of the appliance with which this appliance is paired for EdgeConnect High Availability (HA). Indicates the deployment mode for the appliance:
Inline Router Uses separate LAN and WAN interfaces to route data tra ic.
Bridge Uses a virtual interface, bvi, created by binding the WAN and LAN interfaces.
Server Both management and data tra ic use the mgmt interface. Deployment's total outbound bandwidth in Kbps. Deployment's total inbound bandwidth in Kbps. Identify the service, such as MPLS or Internet. Identify the data, such as data, VoIP, or replication. Names of the segments used for this appliance deployment. Select the information icon to view further deployment details of an appliance.
The following table describes the fields on the Details view of this tab.
Field
Appliance Name Interface Label
Zone Segment IP/Mask WAN/LAN Side Next Hop Public IP Inbound Outbound NAT
Description
Name of the deployed appliance. Name of the LAN or WAN interface. Label mapped to the interface. LAN labels refer to tra ic type, such as VoIP, data, or replication. WAN labels refer to the service or connection type, such as MPLS, internet, or Verizon. Firewall zone applied to the interface. Name of the segment used for this interface. Interface's IP address and subnet mask. Indicates that the interface is WAN-side or LAN-side. Deployment interface's next hop router address. Public IP address. Interface's inbound bandwidth in Kbps. Interface's outbound bandwidth in Kbps. Indicates whether the appliance is behind a NAT-ed interface.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Firewall Mode
DHCP HA Interface Comment
Description
Indicates the firewall mode for the appliance's WAN-side interface:
Allow All Permits unrestricted communication.
Stateful Only allows communication from the LAN-side to the WAN-side. Used if the interface is behind the WAN edge router.
Stateful+SNAT Applies Source NAT to outgoing tra ic. Used if the interface is directly connected to the Internet.
Harden For tra ic inbound from the WAN, the appliance accepts __*only__* IPSec tunnel packets that terminate on an EdgeConnect appliance. For tra ic outbound to the WAN, the appliance __*only__* allows IPSec tunnel packets and management tra ic that terminate on an EdgeConnect appliance. Indicates whether the interface's IP address is obtained from the DHCP server. Indicates whether the interface is part of an EdgeConnect High Availability (HA) link. Additional information for this deployment interface.
Deployment Dialog Box
The three deployment modes are Bridge, Router, and Server.
WARNING: ALWAYS use Router mode unless you have a legacy, WAN Optimizationspecific use case and are well-acquainted with the requirements of Bridge or Server mode deployments.
E
EC
HA
EdgeConnect High Availability (HA) mode is a high availability cluster configuration that provides appliance redundancy by pairing two EdgeConnect devices together.
When you configure two EdgeConnect appliances in EdgeConnect HA mode, the resilient cluster acts as a single logical system for orchestrated WAN functions. It extends the robust SD-WAN multipathing capabilities, such as Business Intent Overlays, seamlessly across the two devices as though they were one entity.
With EdgeConnect HA mode, a WAN uplink is physically plugged into a single one of the EdgeConnect appliances but is available to both in the cluster. For WAN connections that perform NAT (for example, a consumer-grade Broadband Internet connection), it means that only a single Public IP needs to be provisioned in order for both EdgeConnect devices in the EdgeConnect HA cluster to be able to build Business Intent Overlays using that transport resource. The same is true for orchestrated tunnels to third-party cloud services, such as Zscaler and AWS Transit Gateway.
NOTE: EdgeConnect HA mode provides clustering for WAN-side functions only. You must select and configure an appropriate LAN-side redundancy mechanism for a given business location. Available options are VRRP+IP SLA, BGP, and OSPF.
To enable EdgeConnect HA:
. Select the EdgeConnect HA check box.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
. Configure the interfaces (LAN-side and WAN-side) on both EdgeConnect devices to reflect the WAN connections that are plugged into each one of the respective appliances.
NOTE: Both EdgeConnect devices will be able to leverage all WAN connections regardless of which chassis they are physically plugged into. It is, however, important to match the interface configuration displayed on the Deployment dialog box to the actual chassis the WAN connection is physically and directly connected to.
. Select the physical ports on the respective EdgeConnect appliances that you will connect to each other using an Ethernet cable (RJ- twisted pair or SR optical fiber).
NOTE: You can choose any LAN or WAN port combination for this HA Link that is available on the respective EdgeConnect chassis. You must match the media type and speed for both ends of the HA link. (For example, Gigabit-Ethernet RJ- to RJ- or Gigabit-Ethernet multimode fiber LC-connector-to-LC-connector). Also, note that you cannot use MGMT ports for the HA Link; only LAN or WAN ports.
IPSec over UDP Tunnel Configuration
For both EdgeConnect appliances in a high availability cluster to be able to share a common transport connection, you must set the tunnel type to IPSec over UDP mode. This is the default tunnel mode for all deployments running ECOS . . /Orchestrator . or later.
NOTE: For SD-WAN fabrics upgraded from earlier releases, see Tunnel Settings in Orchestrator (Orchestrator > Orchestrator Server > Tools > Tunnel Settings) to change to IPSec over UDP mode.
You must configure the same site name for both appliances in the EdgeConnect HA pair so that Orchestrator assigns a unique IPSec UPD port number for each appliance.
LAN-side High Availability
Typically, in a branch site deployment, you will choose to configure the cluster with VRRP+IP SLA to modify priority and subnet sharing metrics based on VRRP and WAN interface status. For more advanced deployments with Layer routers or switching on the LAN side, BGP or OSPF can be configured. For details, refer to the EdgeHA High Availability Deployment Guide.
LAN- M
The IP SLA feature should be configured to monitor the LAN-side VRRP state in order to automatically disable subnet sharing from that appliance in the case of a LAN link failure. For more information, refer to the IP SLA configuration guide.
ML
I
· On the LAN side, labels are optional. You can use them as match criteria for Business Intent Overlay ACLs, such as __*data__*, __*VoIP__*, or __*replication__*.
· On the WAN side, labels identify the link type, such as __*MPLS__* or __*Internet__*. These labels are mandatory. Orchestrator uses them to build Business Intent Overlay policies.
· To create or manage a global pool of labels, either:
Navigate to Configuration > Overlays & Security > Deployment Profiles, click the Edit icon next to Label, and make the appropriate changes, or
Navigate to Configuration > Overlays & Security > Interface Labels) and make the appropriate changes.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· The change you make to a label propagates automatically. For example, it renames tunnels that use that labeled interface.
LAN- C
:S
F
Z
EdgeConnect Segmentation (VRF) provides orchestrated Layer segmentation, Zone Based Firewall, and IDS--end-to-end across the SD-WAN fabric. Segment and zone policies are global in scope. They are managed on the Configuration > Networking > Routing > Routing Segmentation (VRF) tab.
Segments and zones are then assigned to LAN-side interfaces for each appliance by using the Deployment dialog box. By default, the Segment and FW Zone fields on LAN interfaces are set to the system-generated Default segment. You can select a di erent segment and firewall zone from the drop-down lists. These lists reflect the segments and zones that are set up on the Routing Segmentation (VRF) tab.
NOTE: The segment for WAN interfaces cannot be changed.
LAN C
: DHCP
· By default, __*each__* LAN IP acts as a DHCP Server when the appliance is in (the default) Router mode.
· The global defaults are set in Configuration > Networking > DHCP > DHCP Server Defaults and pre-populate this page. The other choices are No DHCP and having the appliance act as a DHCP/BOOTP Relay.
· To customize an individual interface on the Deployment screen, click the DHCP-related link under the IP/Mask field. The DHCP Settings dialog box opens.
The following tables describe the various DHCP settings you can configure.
DHCP Server
Setting Subnet Mask
IP Range
Description
Mask that specifies the default number of IP addresses reserved for any subnet. For example, entering reserves IP addresses. You can designate one or more IP address ranges available for use. Specify Start IP and End IP addresses. To add another IP address range, click Add.
Default lease,Maximum lease
Gateway IP DNS server(s) NTP server(s) NetBIOS name server(s)
IMPORTANT: Multiple IP ranges cannot overlap. Specify, in hours, how long an interface can keep a DHCPassigned IP address. Specifies the IP address for the gateway to use.
Specifies the associated Domain Name System servers.
Specifies the associated Network Time Protocol servers.
Used for Windows (SMB) type sharing and messaging. It resolves the names when you are mapping a drive or connecting to a printer.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Setting NetBIOS node type
DHCP failover
Description NetBIOS node type of a networked computer relates to how it resolves NetBIOS names to IP addresses. There are four node types:
B-node = x Broadcast
P-node = x Peer (WINS only)
M-node = x Mixed (broadcast, then WINS)
H-node = x Hybrid (WINS, then broadcast) Enables DHCP failover. To set it up, click the Failover Settings link.
DHCP/BOOTP Relay Setting Destination DHCP/BOOTP Server Enable Option
Option Policy
Description
IP address of the DHCP server assigning the IP addresses. This setting applies to the local interface only. When selected, inserts additional information into the packet header to identify the client's point of attachment. This setting applies to all LAN-side interfaces on this appliance.
IMPORTANT: Changing this setting will modify Option settings on all LAN-side interfaces that are enabled as DHCP Relay. Tells the relay what to do with the hex string it receives. The choices are append, replace, forward, and discard. This setting applies to all LAN-sideinterfaces on this appliance.
IMPORTANT: Changing this setting will modify Option settings on all LAN-side interfaces that are enabled as DHCP Relay.
WAN C
Firewall Zone: Zone-based firewall policies are configured globally on the Orchestrator. A zone is applied to an Interface. By default, tra ic is allowed between interfaces labeled with the same zone. Any tra ic between interfaces with di erent zones is dropped. You can create exception rules (Security Policies) to allow tra ic between interfaces with di erent zones.
Firewall Mode: Four options are available at each WAN interface:
· Allow All permits unrestricted communication.
WARNING: Use this option with extreme caution and only if the interface is behind a WAN edge firewall.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· Stateful __*only__* allows communication from the LAN-side to the WAN-side. Use this option if the interface is behind a WAN edge router.
· Stateful with SNAT applies Source NAT to outgoing tra ic. Use this option if the interface is connected directly to the Internet and you want to enable local internet breakout.
· Harden
For tra ic inbound from the WAN, the appliance accepts __*only__* IPSec tunnel packets that terminate on an EdgeConnect appliance.
For tra ic outbound to the WAN, the appliance __*only__* allows IPSec tunnel packets and management tra ic that terminate on an EdgeConnect appliance.
NAT Settings: To change the NAT setting, click the NAT-related link under the Next Hop field on the WAN side. The NAT Settings dialog box opens. Select one of the following options:
· If the appliance is behind a NAT-ed interface, select NAT. · If the appliance is not behind a NAT-ed interface, select Not behind a NAT. · To assign a destination IP address for tunnels being built from the network to this WAN interface,
select the last option and enter the IP address.
Shaping: You can limit bandwidth selectively on each WAN interface.
· Total Outbound bandwidth is licensed by model. It is the same as max system bandwidth. · To enter values for shaping inbound tra ic (recommended), you first must select Shape Inbound
Tra ic.
EdgeConnect Licensing: Only visible on EdgeConnect appliances.
· You can change the bandwidth allotted for this appliance by selecting the appropriate option from the EC drop-down list. Your options are based on the licensing you have purchased.
· If you have purchased a pool of Boost for your network, you can allocate a portion of it on the Deployment dialog box. You can also direct allocations to specific types of tra ic in the Business Intent Overlays.
· To view the licensing and distribution of EdgeConnect and Boost bandwidth for your appliances, navigate to the Configuration > Overlays & Security > Licensing > Licenses tab.
BONDING
· EdgeConnect supports etherchannel bonding of multiple physical interfaces of the same media type into a single virtual interface. For example, wan plus wan bond to form bwan . This increases throughput on a very high-end appliance and/or provides interface-level redundancy.
· For bonding on a virtual appliance, you would need to configure the host instead of the appliance. For example, on a VMware ESXi host, you would configure NIC teaming to get the equivalent of etherchannel bonding.
· Whether you use a physical or a virtual appliance, etherchannel must also be configured on the directly connected switch/router. Refer to Aruba SD-WAN user documentation.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Interfaces Tab
Configuration > Networking > Interfaces The Interfaces tab lists the interfaces for appliances selected in the appliance tree.
The All button displays all hardware and dynamic interfaces for the selected appliances. Descriptions of the fields on this tab follow:
Field
Appliance Name Name Status IP Address/Mask Public IP Segment DHCP
Speed Duplex MTU MAC Address SNMP IfIndex
Description
Name of the appliance for the interface. Name of the interface. Status of the interface (up or down). IP address for the interface. Public IP address for the interface. Name of the configured segment being used. Indicates whether this interface's IP address is obtained from the DHCP server. Displays as Yes, No, No data (not configured), or Invalid data (error condition). Current interface speed state and setting. Current interface duplex state and setting. Maximum number of packets being transmitted. MAC address applied to the interface. Index number of the network interface.
· Best practice is to assign static IP addresses to management interfaces to preserve their reachability.
· Duplex should never display as half duplex a er auto-negotiation. If it does, performance issues and dropped connections will occur on the appliance. To resolve, check the cabling on the appliance and the ports on the adjacent switch or router.
· To directly change interface parameters for a particular appliance, click the corresponding edit icon, which opens the Interfaces dialog box for the appliance.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· To change the IP address for a lan or wan interface, either use the Appliance Manager Configuration > System & Networking > Deployment page or the CLI (Command Line Interface).
· To change the IP address for mgmt , either use the Appliance Manager Administration > Basic Settings > Hostname/IP page or the CLI.
T
Interface blan bvi
bwan tlan twan
Description
Bonded LAN interfaces (as in lan + lan ). Bridge Virtual Interface. When the appliance is deployed in-line (Bridge mode), it is the routed interface that represents the bridging of wan and lan . Bonded WAN interfaces (as in wan + wan ).
-Gbps fiber LAN interface. -Gbps fiber WAN interface.
Interfaces Edit Row
Use this dialog box to change interface configurations for the appliance.
The All Interfaces button displays all interfaces for the appliance, including both assigned and unassigned hardware interfaces. MAC addresses indicate assigned interfaces. Descriptions of the fields on this dialog box follow: Hardware
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Name Admin Status IP Address/Mask
Public IP Segment Speed (Mbps) / Duplex
State MTU MAC SNMP IfIndex
Description
Name of the interface.
Admin status of the interface (up or down). Click this field to change the value. Status of the interface (up or down).
IP address for the interface. If the address is blue, you can click it to open the Deployment dialog box, from which you can change IP addresses/masks. Public IP address for the interface.
Name of the configured segment being used.
Current interface speed and duplex settings. auto means auto-negotiation, which is the process by which terminating devices automatically negotiate for maximum bandwidth. Current interface speed and duplex states.
Maximum number of packets being transmitted. Click this field to change the value. MAC address applied to the interface. To unassign the MAC address, click the field and select Unassigned. Index number of the network interface.
Dynamic
Field Name Status IP Address/Mask
Segment MTU SNMP IfIndex
Description
Name of the interface. Status of the interface (up or down). IP address for the interface. If the address is blue, you can click it to open the Deployment dialog box, from which you can change IP addresses/masks. Name of the configured segment being used. Maximum number of packets being transmitted. Index number of the network interface.
· As a best practice, assign static IP addresses to management interfaces to preserve their reachability.
· Speed (Mbps) / Duplex should never display as half duplex a er auto-negotiation. If it does, performance issues and dropped connections will occur on the appliance. To resolve, check the cabling on the appliance and the ports on the adjacent switch or router.
· To change the IP address for a lan or wan interface, either use the Appliance Manager Configuration > System & Networking > Deployment page or the CLI (Command Line Interface).
· To change the IP address for mgmt , either use the Appliance Manager Administration > Basic Settings > Hostname/IP page or the CLI.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
NAT
Configuration > Networking > NAT NAT allows for multiple sites with overlapping IP addresses to connect to a single SD-WAN fabric. You can configure S-NAT (Source Network Address Translation), D-NAT (Destination Network Address Translation), destination TCP, and UDP port translation rules to LAN to SD-WAN fabric tra ic in the ingress and egress direction. The following address translation options are supported:
· : source and destination IP address translation · : subnet to subnet source and destination IP address translation · Many to one IP source address translation · NAT pools for translated source IP address
You can view both NAT Rules and NAT Pools within your network by selecting NAT Rule or NAT Pools at the top of the page. You can also export a CSV file of your branch NAT tra ic. Select the Edit icon to add rules to your NAT and NAT Pools.
NAT Rules and Pools
Configuration > Networking > NAT
You can add NAT rules by completing all the values in the table shown below. Each NAT rule has a directional field or value. Outbound rules are applied to the tra ic flows initiated from the LAN, destined to the SD-WAN fabric. Inbound rules are applied to the tra ic flows initiated from the SD-WAN fabric destined to the LAN. Return tra ic for a given flow does not require an additional rule. The destination IP address must be configured for each rule.
NOTE: You must disable advertisements of local, static routes on the LAN side at the site so the routes are completely unique. Additionally, you must configure static routes for NAT pools and advertise them to the SD-WAN fabric by enabling Advertise to Silver Peak Peers.
Complete the following steps to add a rule to your NAT:
. Select Add Rule.
. Complete the following values in the table by selecting any of the columns.
Field Priority LAN Interface Segment Direction
Protocol Source
Description
Order in which the rules are executed; the lower the priority, the higher the chance your NAT rule will be applied. Name of the LAN interface the NAT rule is using. This is configurable for an outbound NAT rule only. Name of the segment being used. Select the direction the tra ic is going:
Outbound (LAN to Fabric)
Inbound (Fabric to LAN) Type of protocol being used for each NAT. Original source IP address of the IP packet.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field
Destination Translated Source Translated Destination Enabled
Comment Criteria
Description
Address of the LAN/WAN interface where the tra ic is going to. Translated source IP address when the NAT rule is applied. Translated destination IP address when the NAT rule is applied. Select this check box to enable your customized NAT rule. Direction can be both inbound or outbound. Any comment you want to add pertaining to your NAT rule. Match: LAN interface, direction, source, destination
Set: Translated source, translated destination
NAT P You also have the option to configure a NAT pool. Complete the following steps to create a NAT pool:
. Select the Edit icon on the NAT tab. The NAT window opens. . Select the NAT Pools icon. The NAT Pools window opens. . Select Add. . Select the columns in the table, starting with Name, to enter information about your Pool.
Field
Name Direction Subnet Translate Ports
Description
Name of your pool. Whether the tra ic is outbound or inbound. IP address of the subnet. Enable source port address translation if the NAT pool is too small to accommodate multiple, flows simultaneously with : IP address translation.
VRRP Tab
Configuration > Networking > VRRP
This tab summarizes the configuration and state for appliances deployed with Virtual Router Redundancy Protocol (VRRP).
In an out-of-path deployment, one method for redirecting tra ic to the EdgeConnect appliance is to configure VRRP on a common virtual interface. Possible scenarios are:
· When no spare router port is available, a single appliance uses VRRP to peer with a router (or Layer switch). This is appropriate for an out-of-path deployment in which no redundancy is needed.
· A pair of active, redundant appliances use VRRP to share a common, virtual IP address at their site. This deployment assigns one appliance a higher priority than the other, thereby making it the Master appliance, and the other the Backup.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
VRRP Edit Row
Click Add to begin completing the fields in the following table.
VRRP T S
Field Admin Advertisement Timer Group ID
Interface Segment IP Address Owner Master IP Master State Transitions
Preemption
Priority State Uptime State
Virtual IP Virtual MAC address
Description
Options are up (enable) and down (disable). Default is second. Value assigned to the two peers. Depending on the deployment, the group can consist of an appliance and a router (or L switch), or two appliances. The valid range is to . Interface that VRRP is using for peering. Name of the segment, if enabled. An EdgeConnect appliance cannot use one of its own IP addresses as the VRRP IP, so this will always be No. Current VRRP Master's Interface or local IP address. Number of times the VRRP instance went from Master to Backup and vice versa. A high number of transitions indicates a problematic VRRP configuration or environment. In this case, check the configuration of all local appliances and routers, and then review the log files. Leave this selected/enabled so that a er a failure, the appliance with the highest priority comes back online and again assumes primary responsibility. The greater the number, the higher the priority. The appliance with the higher priority is the VRRP Master. Time elapsed since the VRRP instance entered the state it is in. The VRRP instance has three options:
Backup Instance is in VRRP backup state.
Init Instance is initializing, it is disabled, or the interface is down.
Master Instance is the current VRRP master. IP address of the VRRP instance. VRRP instances can run between two or more appliances, or an appliance and a router. MAC Address that the VRRP instance is using. On an NX Appliance, this is in - - E- - -{VRID} format. On virtual appliances, the VRRP instance uses the interface's assigned MAC Address (for example, the MAC address that the hypervisor assigned to wan ).
WCCP Tab
Configuration > Networking > WCCP Use this page to view, edit, and delete WCCP Service Groups.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Web Cache Communications Protocol (WCCP) supports the redirection of any TCP or UDP connections to appliances participating in WCCP Service Groups. The appliance intercepts only those packets that have been redirected to it. The appliance optimizes tra ic flows that the Route Policy tunnelizes. The appliance forwards all other tra ic as pass-through or pass-through-unshaped, as per the Route Policy.
Refer to the Network Deployment Guide and the SD-WAN Deployment Guide for examples, best practices, and deployment tips.
WCCP Edit Row
Use this page to view, edit, and delete WCCP Service Groups. For the Service Groups to be active, you must select Enable WCCP. Additionally, the appliance should always be connected to an interface/VLAN that does not have redirection enabled--preferably a separate interface/VLAN would be provided for the appliance. If the appliance uses auto-optimization, WCCP redirection must also be applied on the uplinks of the router or L switch to the core/WAN.
WCCP Settings
Field Admin Advanced Settings
Appliance Name Compatibility Mode
Description
Values are up and down. The default is up.
You can only configure these options directly on the appliance. For more information and best practices, refer to the Network Deployment Guide. Name of the appliance.
Select the appropriate option for your router. If a WCCP group is peering with a router running Nexus OS, the appliance must adjust its WCCP protocol packets to be compatible. By default, the appliance is IOS-compatible.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Forwarding Method
Group ID Interface Oper Status
Protocol
Description
Also known as the Redirect Method. Packet redirection is the process of forwarding packets from the router or L switch to the appliance. The router or L switch intercepts the packet and forwards it to the appliance for optimization. The two methods of redirecting packets are Generic Route Encapsulation (GRE) and L redirection.
either allows the appliance and the router to negotiate the best option. You always should select either. During protocol negotiation, if the router o ers both GRE and L as redirection methods, the appliance will automatically select L .
GRE (Layer Generic Routing Encapsulation) allows packets to reach the appliance even if there are other routers in the path between the forwarding router and the appliance. At high tra ic loads, this option might cause high CPU utilization on some Cisco platforms.
L (Layer- ) redirection takes advantage of internal switching hardware that either partially or fully implements the WCCP tra ic interception and redirection functions at Layer . Layer- redirection requires that the appliance and router be on the same subnet. It is also recommended that the appliance be given a separate subnet to avoid pass-through tra ic from being redirected back to the appliance and causing a redirection/Layer- loop. Refers to the Service Group ID. Default value is wan . Common states:
INIT Initializing or down.
ACTIVE This indicates that the protocol is established and the router has assigned hash/mask buckets to this appliance.
BACKUP This indicates that the protocol is established, but the router has not assigned any hash/mask buckets to this appliance. This might be caused by using a Weight of .
Designated This state (in addition to Active/Backup) indicates that the appliance is the designated web-cache for the group. The designator communicates with the router(s) to assign hash/mask assignments. When there is more than one appliance in a group, the appliance with the lowest IP becomes the designator for that group. Although many more protocols are supported, generally TCP and UDP are the focus. For troubleshooting, you might consider adding a group for ICMP as well.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Router IP
Description
IP address of the WCCP router. For Layer redirection, use the physical IP address of the interface that is directly connected to the appliance. For Layer redirection, consider using a loopback IP. It is not recommended to use VRRP or HSRP IPs as router IPs.
Service Group Advanced Settings
Field Assignment Detail
Assignment Method
Description
This field can be used to customize hash or mask values. If you have only one appliance, or if you are using route-map or subnet sharing to tunnelize, use the default LAN-ingress setting.
WAN-ingress and LAN-ingress are not applicable if there is only one active appliance.
WAN-ingress and LAN-ingress are also not applicable if you are using route-map or subnet sharing to tunnelize.
If there is more than one active appliance and you are using TCP-IP auto-optimization:
Use LAN-ingress for WCCP groups that are used to redirect outbound tra ic.
Use WAN-ingress for WCCP groups that are used to redirect inbound tra ic.
This ensures that a connection will go through the same appliance in both inbound and outbound directions and avoid asymmetry.
custom provides granular control of the distribution of flows. Contact Support for assistance. Determines how redirected packets are distributed between the devices in a Service Group, e ectively providing load balancing among the devices. The options are:
either, which enables the appliance and router to negotiate the best method for assignment. This is preferred. If the router o ers both hash and mask methods, the appliance will select the mask assignment method.
hash, for hash table assignment.
mask, for mask/value sets assignment.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Force L Return
Password Priority Weight
Description
Generally is not selected. Normally, all Layer- redirected tra ic that is not optimized (that is, it is pass-through) is returned back to the WCCP router as GRE (L return). Processing returned GRE tra ic can create additional CPU overhead on the WCCP router. Force L Return can be used to override default behavior and route pass-through tra ic back to the appliance's next hop router, which might or might not be the WCCP router. Use caution, as this could create a Layer loop, if L returned tra ic gets redirected back to the appliance by the WCCP router.
This field is optional.
The lowest priority is , and the default value is . Only change this setting from the default if an interface has multiple WCCP service groups defined for the same protocol (for example, TCP) and you wish to specify which service group to use.
The default value is . You can use this to influence WCCP hash/mask assignments for individual appliances when more than one appliance is in a cluster. For Active/Backup appliance configuration, use a Weight of on the backup appliance.
The Hash and Mask areas are accessible only when you select custom in the Assignment Detail field.
PPPoE Tab
Configuration > Networking > PPPoE Point-to-Point Protocol over Ethernet (PPPoE) is a network protocol for encapsulating PPP frames inside Ethernet frames. It is used mainly with DSL services where individual users connect to a DSL modem over Ethernet.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
When configuring a PPPoE connection, complete the following fields:
Field Ethernet Device
Password PPPoE Name User Name
Description
Specifies the physical interface to use for sending the protocol. Generally, this is a WAN-side interface. This is set up with your Internet Service Provider (ISP). Name is ppp followed by a numerical su ix from to . This is set up with your Internet Service Provider (ISP).
Generally, this is all the configuration required. If your ISP is fine-tuning the access, you might be asked to configure some of the Optional Fields, below.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field ACNAME Connect Poll Connect Timeout Default Route DNS Type
LCP Failure LCP Interval Service Name
Description
Access Concentrator Name. Provided by the ISP. Specifies how many times to try to establish the link. The default value is . When trying to establish the link, this specifies how many seconds until the e ort times out. The default value is seconds. If the check box is selected, the connection uses the default gateway provided by the ISP. This specifies the resolver to use:
NOCHANGE Do not accept or configure the ISP's Domain Name Server (DNS). Use the DNS configured on the Administration > General Settings > Setup > DNS tab.
SERVER Accept the ISP's DNS. This then overrides the Silver Peak DNS configuration.
SPECIFY Use DNS and DNS to resolve domain names. Link Control Protocol Failure. Specifies the number of times the keep-alive can fail before the link goes down. The default value is . The default value for this keep-alive interval is seconds. Provided by the ISP.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Loopback Interfaces
Configuration > Networking > Loopback Interfaces The loopback feature enhances reliability and security by enabling you to access your network using a single static IP address. If one interface goes down, you can access all interfaces through the single static IP address. To add a loopback interface to your network:
. Navigate to Configuration > Networking > Loopback Interfaces. The Loopback tab opens.
. Click the edit icon next to the appliance to which you want to add a loopback interface. The Loopback Interfaces dialog box opens.
. Click Add. The Add Interface dialog box opens.
. Configure the following elements as needed:
Field
Segment Interface IP/Mask Admin Label Zone
Description
Name of the segment, if enabled. Name of the loopback interface. IP address for the loopback interface. Select whether the admin status is up or down. Label of the loopback interface. Zone you want to apply to your loopback interface.
. Click Add.
Loopback Orchestration
Configuration > Networking > Loopback Orchestration
You can create a pool of loopback addresses for Orchestrator to automatically create one or more loopback interfaces. You can also assign IP addresses from the pool to each appliance in the network. Complete the following steps to create the range for your loopback interfaces.
. Select +Add Loopback Interface. The Loopback Interface window opens.
. Specify the Label from the drop-down menu. This is optional. If no label is selected, "None" is assigned. Additionally, Label only displays the LAN side interface labels configured on the Interface Labels tab.
. Specify the firewall zone if you want the loopback interface to be part of a specific firewall zone.
. Select the management check box if you want the interface to be used by management applications running on the appliance.
NOTE: You can only select one loopback interface as management if you configure multiple loopbacks.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
. Click Add. The following table represents the fields for loopback orchestration.
Field
Segment Label Zone Management IP Loopback Pool Allocated / Total
Deleted
Description
Associated segment that has loopback orchestration applied. Label of the LAN interface being used. Firewall zone associated with the loopback interface. Loopback interface selected as the management interface. Pool of loopback addresses representing each device. Number of loopback IP addresses allocated from the pool out of the total number of IP addresses in the pool. Number of loopback interfaces deleted.
NOTE: You can only delete an interface from an appliance in the Appliance Manager.
Virtual Tunnel Interfaces (VTI)
Configuration > Networking > Virtual Tunnel Interfaces (VTI) A Virtual Tunnel Interface (VTI) is a tunneling protocol that does not require a static mapping of IPSec sessions to a physical interface. The tunnel endpoint is associated with a tunnel interface that enables a constant secure and stable connection throughout your network. Click the Edit icon to get started configuring your VTIs.
VTI D B
Complete the following steps to configure a VTI with an associated tunnel in Orchestrator. . Click Add. The Add VTI Interface dialog box opens. . Complete the following fields with the appropriate information.
Field Segment Interface
IP/Mask Admin Passthrough Tunnel Interface Type Label
Description
Name of the segment, if enabled. ID of the VTI.
NOTE: IDs
through
are reserved for Orchestrator.
IP address and subnet mask of the VTI.
Select whether the interface is up or down.
Name of the passthrough tunnel associated with the VTI.
Interface type (lan or wan).
If you want to apply a label to the VTI, select one from the list of those available.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Zone
Description
Select the firewall zone to which the VTI should apply from the drop-down list.
. Click Add.
DHCP Server Defaults
Configuration > Networking > DHCP Server Defaults You can reduce your workload by using this tab to configure global defaults for Dynamic Host Configuration Protocol (DHCP).
· These defaults apply to the LAN interfaces in Deployment Profiles that specify Router mode. · There are three choices:
No DHCP. Each LAN interface acts as a DHCP Server. The EdgeConnect appliance acts as a DHCP/BOOTP Relay between a DHCP server at a data
center and clients needing an IP address.
· On the Configuration > Overlays & Security > Deployment Profiles tab, the selected default displays consistently under each LANside IP/Mask field.
For any LANside interface, you can override the global default by clicking the DHCP-related link under the IP/Mask field and changing the values or selection. · Changes you save to the global default only apply to new configurations. · To view or revise the list of reserved subnets, select Monitoring.
DHCP S
DHCP Server
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field DHCP Pool Subnet/Mask Subnet Mask
Exclude first N addresses Exclude last N addresses Default lease, Maximum lease Default gateway DNS server(s) NTP server(s) NetBIOS name server(s)
NetBIOS node type
DHCP failover
Description
Enter the DHCP pool subnet and mask IP addresses. Mask that specifies the default number of IP addresses reserved for any subnet. For example, entering reserves IP addresses. Specifies how many IP addresses are not available at the beginning of the subnet's range. Specifies how many IP addresses are not available at the end of the subnet's range. Specify, in hours, how long an interface can keep a DHCPassigned IP address. Indicates whether the default gateway is being used. Specifies the associated Domain Name System servers. Specifies the associated Network Time Protocol servers. Used for Windows (SMB) type sharing and messaging. It resolves the names when you are mapping a drive or connecting to a printer. NetBIOS node type of a networked computer relates to how it resolves NetBIOS names to IP addresses. There are four node types:
B-node x Broadcast
P-node x Peer (WINS only)
M-node x Mixed (broadcast, then WINS)
H-node x Hybrid (WINS, then broadcast) Enables DHCP failover. To set it up, click the Failover Settings link.
DHCP/BOOTP Relay
Field Destination DHCP/BOOTP Server Enable Option
Description
IP address of the DHCP server assigning the IP addresses.
When selected, inserts additional information into the packet header to identify the client's point of attachment. This setting applies to all LAN-side interfaces on this appliance.
IMPORTANT: Changing this setting will modify Option settings on all LAN-side interfaces that are enabled as DHCP Relay.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Option Policy
Description
Tells the relay what to do with the hex string it receives. The choices are append, replace, forward, and discard. This setting applies to all LAN-sideinterfaces on this appliance.
IMPORTANT: Changing this setting will modify Option settings on all LAN-side interfaces that are enabled as DHCP Relay.
DHCP Leases
Configuration > Networking > DHCP Leases This page lists the IP addresses that are currently being leased from the DHCP pool.
DHCP Failover
On the DHCP Failover dialog box, configure the following settings to apply to your DHCP failover servers. NOTE: The DHCP Failover dialog box is accessed by clicking the Failover Settings link on the DHCP Server Defaults tab.
. Select the DHCP Failover check box to enable the DHCP Failover feature. . Select whether you are configuring the failover settings for either the Primary or Secondary
server. . Configure the remaining settings in the table below.
DHCP Failover Fields
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field My IP My Port Peer IP Peer Port MLCT
SPLIT
Max Response Delay
Max Unacked Updates
Load Balance Max Seconds
Description
IP address of the LAN interface.
Port number of the LAN interface.
IP address of the DHCP peer.
Port number of the DCHP peer.
Optional. If selected, the default is minutes. This field cannot be zero. Optional. If selected, determines which peer (primary/secondary) should process the DHCP requests. Optional. If selected, determines how many seconds the DHCP server can pass without receiving a message from its failover peer before it assumes the connection has failed. Tells the remote DHCP server how many BNDUPD messages it can send before it receives a BNDACK from the local system. Optional. Allows you to configure a cuto a er which load balancing is disabled. The cuto is based on the number of seconds since the client sent its first DHCPDISCOVER or DHCPREQUEST message. It only works with clients that correctly implement the secs field.
DHCP Failover State
Configuration > Networking > DHCP Failover State
EdgeConnect appliances can act as a DHCP server for clients on the LAN side. DHCP failover allows redundancy by creating failover groups when two appliances are combined in an HA configuration. DHCP failover also provides stability if one EdgeConnect appliance dies by allowing the other EdgeConnect HA pair to take over as the DHCP server. To do so, the primary and secondary servers must be completely synchronized so that each server can reply on the other if one fails.
This tab displays the DHCP failover peer states of each server for troubleshooting purposes.
DHCP Failover State Fields
Field Appliance Name Failover Group Name My State
My State Time Partner State
Description
Name of the EdgeConnect appliance that is part of the DHCP failover configuration.
Failover group name that is the same for all the tagged and untagged interfaces corresponding to one physical interface.
Failover endpoint state of the selected primary appliance. The states are: Normal, Communications-Interrupted, Partner-Down, Recover, Recover-wait, Recover-done.
Date and time when the selected appliance's DHCP server entered the specified state in the table.
Failover endpoint state of the partner appliance. The states are: Normal, Communications-Interrupted, Partner-Down, Recover, Recover-wait, Recover-done.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Partner State Time MCLT
Description
Date and time when the partner appliance entered the specified state in the table. Maximum client lead time: the maximum amount of time that one server can extend a lease for a client's binding beyond the time known by the partner.
Link Aggregation
Configuration > Networking > Link Aggregation This tab displays the link aggregation details for all appliances selected in the appliance tree to the le .
Link aggregation combines data from multiple interfaces into a channel group that provides a single high-speed link. Configuring link aggregation also adds failover redundancy to the interfaces in the group.
VA
D
To view link aggregation details for one or more appliances, select an appliance or group of appliances. The following information is displayed for each of the selected appliances:
Column Appliance Name Channel Groups
Interfaces
Description
Name of the EdgeConnect appliance. If any channel groups have been configured on the selected appliance, the channel group names are listed here.
NOTE: You can create up to four channel groups per appliance; two each on the LAN side (blan , blan ) and WAN side (bwan , bwan ). Physical or virtual interfaces that are included in the channel group. A channel group can contain two, three, or four interfaces.
NOTE: You cannot add an interface that has already been deployed on the appliance deployment page, and an interface can only be included in one channel group.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Column MTU
Description
The MTU size configured for the channel group. The configured MTU will override any existing MTU settings when the channel group is deployed. The default MTU is .
M LA
To add, change, or delete channel groups on an appliance, click the edit icon to the le of the appliance name.
AC
G
To add a channel group, follow the steps below:
. Click Add above the table of channel groups. The Add link aggregation dialog box opens.
. Select a name for the channel group from the list of those available (blan , blan , bwan , bwan ). Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
. Select two, three, or four of the available interfaces to be grouped. . Specify the MTU to be applied to all interfaces in the group. The default MTU is . . Click Add.
M
C
G
To modify an existing channel group, click the edit icon to the le of the group. You cannot modify an existing group name, but you can change the interfaces in the group and the MTU.
D
C
G
To delete an existing channel group, click the delete icon (X) to the le of the group.
Regions
Configuration > Overlays & Security > Regions
Use this tab to add or remove regions from the SD-WAN fabric and configure regional routing. The regions within your SD-WAN fabric can represent geographical regions, administrative regions, or a set of sites in the network that have common business goals.
R
R
When enabled, regional routing enables you to manage your SD-WAN fabric by regions. It involves intra-region and inter-region route distribution across the SD-WAN fabric. The regions within your network can represent geographical regions, administrative regions, or a set of sites in the network that have common business goals. You can provide di erent Business Intent Overlay for each region by enabling regional routing and customizing BIOs per region. The following diagrams show examples of di erent regional network topologies you can build by enabling regional routing.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
You can enable regional routing within your Orchestrator UI. Navigate to the Regional Routing window and click Enable Regional Routing in the header and move the toggle. VS Click View Status to view the status of the added or updated appliances to regions. ER Complete the following steps to add a region or edit existing regions that you want to add to your overlays.
. Click Edit Regions.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
. Click New Region. . Enter the name of your new region in the Region Configuration dialog box. . Click Save.
You can also edit an existing region.
. Click the Edit icon next to the region you want to edit. . Enter the region name. . Click Save.
Navigate to the Business Intent Overlay tab to make further customizations to your regions and overlays.
Routing Segmentation
Configuration > Networking > Routing > Routing Segmentation (VRF)
Use this tab to enable and disable routing segmentation across your network and apply unique configuration to your segments. Routing segmentation allows for the configuration of VRF (Virtual Routing and Forwarding)style Layer segmentation in your SD-WAN deployments. Note the following before configuring routing segmentation in Orchestrator:
· You must upgrade all EdgeConnect appliances and Orchestrator to version . .
· All EdgeConnects must be configured to Inline Router mode.
· If a new appliance has been added to your network, or if an existing appliance has been replaced, you need to upgrade the appliance so ware to the appropriate version running in the network.
· A er upgrading, segmentation is disabled by default. You will have to enable it on this tab.
· Regardless of whether segmentation is enabled or disabled, a Default segment is automatically created when you upgrade to . .
· The system-generated Default segment cannot be deleted.
· A er you enable routing segmentation, all existing configuration across your network is associated with the Default segment.
Add a New Segment
Before adding a segment, you must enable segmentation by moving the toggle at the top of the page. If Routing Segmentation is not enabled, you cannot make any modifications to the Default segment or add any new segments.
To add a new segment, click +Add Segment and enter a Segment Name. You can make further specifications by clicking the edit icon or by selecting the +Add icon in any of the columns in the table.
S
C
You can uniquely configure your segments by specifying the following on this page:
· Overlays & Breakout Policies · Firewall Zone Policies · Inter-Segment Routing & D-NAT
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· Inter-Segment SNAT
· Loopback
NOTE: Inter-Segment Routing & DNAT and Inter-Segment Routing & SNAT are applicable only if you are using di erent segments.
The following sections provide more details.
Overlays & Breakout Policies for Segments
Use this window to configure overlays and breakout policies for your segments. This configuration determines the overlays used by each segment when tra ic is originating from that segment and sent over the SD-WAN fabric to other sites. This configuration is also used when tra ic breaks out locally to the Internet and Cloud Services using the Preferred Policy Order on the Business Intent Overlay (BIO) tab. For tra ic to match what is on the specified BIO tab, ensure the following two conditions are true:
· BIO must include the defined segment policy
· The BIO match criteria must match the new flow
The overlays are arranged by priority defined in the Match field in the Overlay Configuration window on the BIO page. You can specify if you want to include or skip the segment for each overlay by clicking Include or Skip icon in the table cell. By default, all overlays are included for all configured segments.
Include and Skip
If you want to skip an overlay, click the enabled Include icon and Skip appears grayed out. The segment will not be applied to the specified overlay. Click Skip again to include the segment; it will turn back to green. If an overlay is set to Skip, tra ic will not match that overlay and moves to the next prioritized BIO. Additionally, if no BIOs match, tra ic is dropped.
TIP: If overlay is set to Skip, Flow Details on the Flows tab displays the list of skipped overlays.
Firewall Zone Policies
Use this tab to enable and associate firewall zones to your segments. With segmentation enabled, firewall zone security policies are orchestrated and there is no need for Firewall Security Templates. A er migration, deactivate the Security Policies Template in all Template Groups. If le active, the template will override any default-default segment security policies configured on this tab.
Before you begin Firewall Zone configuration, note the following:
· Review your existing security policies.
· Create a new security templates group with the new firewall zoning policies that only includes zones associated with LAN and WAN interfaces.
· Delete all rules in your previous Security Policy Template on the Apply Template Group tab.
· Ensure you have selected the Replace option in the previous Security Policy Template.
· Save the previously used Security Policy Template. This deletes the security policy rules on your appliances.
Complete the following steps to set a rule or policy to your firewall zones within your segment.
. Select the cell of the segment you want to update in the Matrix View. The From Zone To Zone window opens.
NOTE: If you are already in Table View, click Add Rule.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
. Enter the Source Segment in the Source Segment field. This is the segment that the firewall is starting from.
. Enter the Destination Segment in the Destination Segment field. This is the segment where the firewall is going to.
. Select Add Rule.
. Complete the content in the table.
Field Priority Match Criteria
Action
Enable Logging
Tag Comment
Description
Enter the priority amount. Click the edit icon in this column to modify and create the match criteria for each zone. Select Allow or Deny to determine whether this zone will apply the selected segment. Select the check box to enable or clear it to disable. Determines the filter for the zone-based firewall drop logging levels. You can select one of the following levels to apply: None, Emergency, Alert, Critical, Error, Warning, Notice, Info, or Debug. Use tags to categorize or identify the purpose of a rule. Any additional details about the firewall zone.
NOTE: Firewall zones are unique to each segment. For example, the default zone in Segment X will not be the same default zone in Segment Y.
Inter-Segment Routing & DNAT
Use this tab to configure inter-segment routing and DNAT rules when tra ic is crossing between segments. Click +Add and the Inter-Segment Routing & DNAT window opens. Click +Add again and select any rule in the table to modify the following:
Field Source Segment Matches Destination IP
Send to Segment
Translated Destination Enabled Comment
Description
Name of the segment tra ic is initiating from. IP address got the source segment. This is used to match the packet destination IP address before the packet goes through DNAT. Name of the segment the packets are translated to from the matched destination IP address. IP address of the DNAT IP address when the segment is translated. Whether or not this is enabled or disabled within your segment. Any additional information.
Inter-Segment Routing & SNAT This window enables you to enable source network address translation to your segments. NOTE: The default setting for SNAT is enabled for inter-segment tra ic.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field
Source Destination SNAT
Description
Name of the segment that the SNAT is starting from. Name of the segment that SNAT is translated to. Whether SNAT is enabled or disabled.
Loopback Click +Add and you are redirected to the Loopback Orchestration tab. Select the segment you want to apply a loopback interface from the table, and then click +Add Loopback Interface. Appliances This column represents the amount of appliances the selected segment is enabled on. Comment Click the cell in the Comment column to add a comment including any additional information for that particular segment.
D
S
WARNING: Segmentation involves drastic changes to your physical network. Deleting segments can be service a ecting. Carefully read this section before deleting any of your segments.
Deleting a segment removes all the segmentation configuration from all the appliances within your network. When you delete a segment, Orchestrator automatically deletes the following:
· The segment's association with the overlay and break-out policies · The intra-segment and inter-segment firewall zone policies · The inter-segment routing & D-NAT rules · The inter-segment S-NAT rule · The loopback interfaces associated with the segment · The VTI interfaces associated with the segment · All the interface and VLAN interfaces
Manual Tasks to Complete Before Deleting a Segment
The following configuration is disassociated from the segment and you need to manually delete the following:
· Any manual created tunnels · BGP peers in the segment · Internal subnet table rules · Overlay ACL rules associated to the deleted segment
To delete a segment, click the X in the last column in the table. A Delete Routing Segment warning appears. Click Delete or Cancel.
Disable a Segment
To disable routing segmentation across your network, you need to delete all configured segments in the network, except the default segment (which cannot be deleted). A er all the segments are deleted, navigate to this tab and move the toggle at the top of the page to disable.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Management Services
Configuration > Networking > Routing > Management Services
Use this tab to configure management services. You can configure them regardless of whether routing segmentation is enabled or disabled.
· When enabled, management services are functional in the associated segment based on the selected interface.
· When disabled, all the interfaces are available for configuration.
NOTE: Management services still function if routing segmentation is not enabled in Orchestrator. In this case, you will be able to use the default configuration only; that is, any interface with the Default segment.
Starting with version . , Orchestrator provides two tabs from which you can configure management services:
· Management Routes Use this tab to configure static routes for management services tra ic from an EdgeConnect appliance (egress tra ic).
· Management Services Use this tab to specify the source IP address of the interface used for each management service.
While it is recommended that you now use the Management Services tab to configure services, you can continue to use the Management Routes tab if you are not required to specify source IP addresses for management services.
The Management Services tab displays the following fields:
Field Appliance Name Management Service Interface for Source IP Address
Source Segment
Description
Name of the appliance selected. Management service used by your appliance. IP address of the interface used by the management service.
By default, management services are configured to use any source IP address. You can modify the interface for the Source IP address by updating this field for the corresponding management service. Name of the associated segment applied to the management service when your source IP address is selected.
Click the edit icon associated with the management service you want to configure.
Management Services Dialog Box
To configure a management service listed in this dialog box: . Click twice in the Interface for Source IP Address field associated with that service. A drop-down list of all the interfaces configured for your appliance appears.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
. Select an interface.
The Source Segment field updates automatically with the associated segment.
. Click Apply.
If the Interface for Source IP Address field is set to any, there is no control over which source IP address will be used for management services egress packets. Depending on the route lookup, the corresponding source IP configured in the Management Routes table is used as the source IP of the packet. If the Source IP is not configured ( . . . ) in the Management Routes table for the selected route, the egress interface's IP address is used as the source IP address.
Descriptions of management service behaviors follow:
Service HTTP(S) Cloud Portal Orchestrator
DHCP Relay NTP NetFlow RADIUS/TACACS+ SNMP SSH Syslog
Behavior
These services use the selected interface's Interface for Source IP Address as the source address to establish reachability and WebSocket connections to the Cloud Portal and Orchestrator. HTTP/HTTPS uses the Interface for Source IP Address for connection as well.
CAUTION: If routing segmentation is enabled, make sure to provide Internet connectivity from the segment to the Interface for Source IP Address associated with the segment.
Each of these management services use Interface for Source IP Address as the source IP address. The source interface configured from the management route table is ignored if the Interface for Source IP Address is not "any".
Inter-Segment Routing and D-NAT Exceptions
Configuration > Networking > Routing > Inter-Segment Routing & D-NAT Exceptions Use this tab to configure inter-segment routing and Destination NAT (D-NAT) rules when tra ic is crossing between segments. Click the edit icon to open the Inter-Segment Routing & D-NAT dialog box. Click +Add Rule and select any rule in the table to modify or define the following:
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Source Segment Matches Destination IP
Send to Segment Translated Destination IP
Enabled Comment
Description
Name of the segment that tra ic is initiating from. IP address that matches the destination segment IP address, before D-NAT. The IP address is included in the defined policy match criteria. Name of the segment the packets are translated to from the matched destination IP address. This is included in the set criteria. IP address of the D-NAT IP address when the segment is translated.
NOTE: If D-NAT is not needed, this field is empty. Indicates whether inter-segment D-NAT is enabled or disabled within your segment. Any additional information.
NOTE: This only pushes the inter-segment D-NAT exceptions to one appliance, selected in the Orchestrator appliance tree.
Inter-Segment S-NAT Exceptions
Configuration > Networking > Routing > Inter-Segment S-NAT Exceptions Use this tab to enable source network address translation to your segments. Select an appliance or group of appliances in the Orchestrator appliance tree to apply your Source NAT (S-NAT) exceptions. NOTE: The default setting for S-NAT is enabled for inter-segment tra ic.
Field
Appliance Name Source Destination S-NAT Comment
Description
Name of the segment that the S-NAT exception is being applied to. Name of the segment that the S-NAT is starting from. Name of the segment that the S-NAT is translated to and going to. Indicates whether S-NAT is enabled or disabled for the specified segment. Any additional information.
BGP Tab
Configuration > Networking > Routing > BGP On this tab, you can configure BGP (Border Gateway Protocol) for appliances and add their BGP peers (also known as BGP "neighbors"). You can also add and modify peer-based advertisement and redistribution rules. EdgeConnect has the following behaviors relative to communities:
· Although EdgeConnect does not configure BGP communities, it propagates existing communities. · Appliances can display up to ten communities per route. · Appliances subnet-share communities with their EdgeConnect peers.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· Appliances advertise communities to remote peers, if learned from EdgeConnect peers.
· Appliances advertise communities to BGP neighbors.
· All BGP-learned subnets also appear in the appliance Routes table, displayed on the Routes configuration page. In addition, any AS Path or BGP Community information learned with a particular subnet will also be displayed with that subnet entry in the table.
· BGP route updates are not refreshed unless the peer specifically asks for it. To update the BGP routes, go to the Peers table and select So Reset in the desired row.
· BGP Equal-cost multi-path (ECMP) is supported for eBGP and iBGP. Multiple next-hops will be installed for the same prefix if all BGP path attributes are the same, enabling BGP to load balance egress tra ic across multiple peers. A maximum of BGP peers is supported per appliance, with next-hops supported per interface.
· A small set of community numbers are used as internal communities that represent the source domain of a particular route:
Value
Description
Locally configured Subnet shared (learned from another appliance) Local BGP Remote BGP (learned from another appliance) Local OSPF Remote OSPF (learned from another appliance)
These internal community values only use the appliance's local ASN in the ASN portion of the community. When the ASN portion of an attached community exactly matches the local ASN and the community portion exactly matches one of these internal values, they are flagged as internal communities only and stripped when advertising the route to BGP peers.
Click the Summary button on the BGP tab to display configuration details associated with the local appliance, such as its local AS number and router ID. Click the icon in the BGP State Details column to display a summary, including the number of routes learned and advertised via BGP by this appliance.
Click the Peers button on the BGP tab to display information about all configured peers for the appliances selected in the appliance tree. Click the icon in the Peer Details column to display the connection status of each peer that is configured for the appliance.
The table below describes the fields displayed for the BGP configuration.
Field
Appliance Name Segment Peer IP Local Interface Peer ASN
Description
Name of the appliance. Name of the segment being used, if enabled. IP address of the EdgeConnect peer. A list of the interfaces that can be chosen: Any, lan , wan , or wan . Peer's Autonomous System Number.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Peer State
So Reset Established Time Type Inbound Route Map Outbound Route Map Local Preference
MED
Input Metric Enable Imports AS Prepend Count Next-Hop-Self Keep Alive Timer Hold Timer Peer Details
Description
State of the peer. A peer state of Established indicates that full adjacency has been established and routes can be advertised to and learned from that peer. Allows new changes to be incorporated without taking the entire BGP session down. Final peer state that indicates neighbor connection as complete.
Governs what kinds of routes the appliance is allowed to advertise to this BGP peer. These routes are itemized as Route Export Policies. Route map being used for the inbound tra ic.
Route map being used for the outbound tra ic.
Local preference is the first attribute an EdgeConnect appliance looks at to determine which route towards a certain destination is the "best" one. This value is not exchanged between external BGP routers. Local preference is a discretionary BGP attribute. Default value is . The path with the highest local preference is preferred. Multi Exit Discriminator. When BGP chooses the best route to reach a certain destination, it first looks at the local preference and AS path attributes. When the local preference and AS path length are the same for two or more routes towards a certain prefix, the Multi Exit Discriminator (MED) attribute is chosen. With MED, the lowest value is preferred.
NOTE: If you configured the Metric Delta parameter in an earlier version of our so ware, this value has been translated into a MED value. Metric that is advertised with the route when shared.
Allows the learning of routes from this specific BGP peer.
Learned path from an external prepend between a remote BGP site to local BGP peers. Advertised route connected to a CE router that an EdgeConnect appliance learns from the eBGP with a PE router. Interval, in seconds, between keep alive signals to a peer.
When availability to a peer is lost, this specifies how long to wait before dropping the session. Any additional details about a peer or its state.
To edit the BGP configuration for one of the listed appliances, click the edit icon in the le column of the table.
BGP Information
Use this window to enable BGP for your appliances and to configure BGP peers. Complete the following steps to start BGP configuration.
. Move the toggle to Enable BGP. . Complete the following fields.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Autonomous System Number (ASN) Router ID Graceful Restart
AS Path Propagate
Description
Configure this number as needed for your network.
This router identifier is the IPv address by which the remote peer can identify this appliance for purposes of BGP. Enable receiver-side graceful restart capability. EdgeConnect retains routes learned from the peer and continues to use it for forwarding (if possible) if/when a BGP peer goes down. The retained routes are considered stale routes. They will be deleted and replaced with newly received routes.
Max Restart Time Specifies the maximum time (in seconds) to wait for a Graceful Restart capable peer to come back a er a peer restart or peer session failure.
Stale Path Time Specifies maximum time (in seconds) following a peer restart that EdgeConnect waits before removing stale routes associated with that peer. Select this check box to enable this appliance to send the full AS path, associated with a prefix to other routers and appliances, avoiding routing loops. This will provide the learned path from an external prepend between a remote BGP site to local BGP peers.
To add a BGP peer, select Add. The Add Peer dialog box opens.
Add Peer
Complete the following fields to add a BGP peer.
Field Peer IP Local Interface
Peer ASN Peer Type Admin Status Next-Hop-Self Inbound route map
Outbound route map
Keep Alive Timer Hold Timer
Description
IP address of the EdgeConnect peer. You can specify the source address or interface for a specific BGP peer. Select the interface from the drop-down list: any, lan , wan , or wan . Peer's Autonomous System Number. Select the type of peer from the drop-down list: Branch or PE-router. Select whether you want the Admin Status UP or DOWN. Select this check box to enable the next-hop-self. Route map for inbound tra ic. Select the edit icon to load or configure inbound route maps. Route map for outbound tra ic. Select the edit icon to load or configure outbound route maps. Interval, in seconds, between keep alive signals to a peer. Specified time to wait before dropping the session when the reachability to a peer is lost.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Enable MD Password
Description
Select this check box to add a password to authenticate the TCP session with the peer.
BGP Inbound and Outbound Route Redistribution Maps
Route Maps are policies that can be applied to static, OSPF, BGP, and SD-WAN fabric learned routes. These policies have match and set criteria. A route map is applied to routes during route redistribution between routing protocols and allows for filtering routes or modifying route attributes. Maximum allowed amounts for BGP route maps and rules per route map:
· Specify up to BGP route maps (inbound and outbound). · Apply up to rules per route map.
You can add, delete, rename, or clone route maps using this window. You can add rules to your route map to further specify routing protocols by clicking Add Rule. Use rules to allow or deny routes based on numerous matching criteria. NOTE: Prefix match criteria is "exact match + less than". Both the prefix specified and any subnets of that prefix will be matched. This behavior will be updated in a future release to allow for selection of "exact," "greater than," or "less than" criteria.
To permit a default-route, deny . . . / , deny . . . / , and then permit any. You can specify the following fields in each rule for the selected route map. Priority (Inbound and Outbound)
Field Priority
Description
If you are using Orchestrator templates to add rules, Orchestrator will delete all
entries from
before applying its policies.You can create rules with
higher priority than Orchestrator rules ( ) and rules with lower priority (
and
).
NOTE: The priority range from
to
is reserved for Orchestrator.When
adding a rule, the priority is incremented by from the previous rule. The priority
can be changed, but this default behavior helps to ensure you can insert new rules
without having to change subsequent priorities.
Select Match Criteria (Inbound)
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Source Protocol BGP
Complete the Following Fields (based on protocol selected) Enter the prefix (list of subnets separated by commas) and your BGP communities.
Prefix
BGP Communities
Select Match Criteria (Outbound)
Source Protocol Local/Static
SD-WAN (Local/Static) BGP OSPF SD-WAN (BGP) SD-WAN (OSPF)
Complete the Following Fields (based on protocol selected) Enter the prefix (list of subnets separated by commas) and your BGP communities.
Prefix Prefix
BGP Communities Prefix
BGP Communities Prefix
OSPF Tag Prefix
BGP Communities Prefix
OSPF Tag
Set Actions (Inbound and Outbound)
Field Permit BGP Local Preference Metric BGP Communities
Nexthop
ASN Prepend Count
Description
Enable or disable. This setting allows or denies the route map. Best BGP destination. The default value is . Metric for the route. Label of extra information that is added to one or more prefixes advertised to BGP neighbors. Advertised route connected to a CE router that an EdgeConnect appliance learns from the eBGP with a PE router. Original route path that was used.
NOTE: This field is displayed only for the Outbound redistribution map.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Comment
Description Comment you want to include.
The following table describes the redistribution commands supported in the BGP routing protocol.
Command
Match prefix Set metric Set tag
Redistribution Support
Yes Yes Yes
BGP ASN Global Pool
Configuration > Networking > Routing > BGP ASN Pool Use this dialog box to configure the ASN Range to assign Autonomous System Numbers (ASNs) for new appliances. Note the following before configuration:
· ASNs are applied only to new appliances. The ASNs configured in this dialog box do not impact or change any previous or manually configured ASNs.
· ASN Range is configured for Default Segment and cannot be changed. · ASN Orchestration assigns the same ASN to EdgeHA appliances. · ASN Orchestration assigns the same ASN to appliances with same site name. Enter the start and end ranges for the ASNs. Click the +Add Reserved ASN to exclude any ASNs from being applied to an appliance. You can reassign ASNs manually by using the BGP tab.
Routes Tab
Configuration > Networking > Routing > Routes Each appliance builds a route table with entries that are added automatically by the system, added manually by a user, or learned from a routing protocol (SD-WAN Fabric Subnet Sharing, BGP, or OSPF).
RM
Orchestrator supports the ability to apply route maps to various routing protocols. This provides more control to import and export routes to and from the SD-WAN fabric. You can configure your route maps to modify information of a route through ACLs and applying tags by using commands. Each route map has a match command and set command. The match command verifies the attributes of the original route the protocol supports. The set command modifies information that is redistributed into the target protocol. NOTE: Prefix match criteria is "exact match + less than". Both the prefix specified and any subnets of that prefix will be matched. This behavior will be updated in a future release to allow for selection of "exact," "greater than," or "less than" criteria.
To permit a default-route, deny . . . / , deny . . . / , and then permit any.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Route mapping is supported for the following protocols and the direction of those protocols: · Local, static to SD-WAN fabric · BGP, OSPF to SD-WAN fabric · SD-WAN fabric to BGP Outbound peers · Local, BGP, OSPF to BGP outbound peers · Local BGP Peers to EdgeConnect BGP sessions
The following table lists the routing protocols and the associated commands supported.
Command Redistribution Support BGP OSPF SD-WAN Local/Static
Match prefix Yes
Set metric
Yes
Set tag
Yes
Yes Yes
Yes
Yes
Yes Yes
Yes
Yes
Yes Yes
Yes
Yes
You can filter the type of routes displayed by clicking All, Local / Static, SD-WAN Fabric, BGP, or OSPF.
Import
Click Import to import route details from a CSV file into the selected appliance. The CSV file should contain values for the following fields in the exact order specified: Subnet, Mask Length, Metric, Is Local, Advertise to Silver Peak Peers, Advertise to BGP Peers, Next Hop, Advertise to OSPF Neighbors, Interface Name, Segment.
NOTE: The CSV file should not contain a header row, and it should have no spaces a er commas. You can specify only the Subnet, Mask Length, and Metric, and Orchestrator uses default values for the remaining fields. If you include values in any of the remaining fields, however, all fields must have a value (that is, none can be blank).
The following lines illustrate what two rows in a CSV import file might look like:
10.1.0.0,16,50,TRUE,FALSE,TRUE,10.1.0.1,FALSE,lan0,Default 10.2.0.0,16,50,,,,,,,
Export
Click Export to save the contents of the Routes table to a CSV file.
Filter by Subnet
Filter by subnet is a filtering tool that can be used to filter all existing routes and the results are populated on the Routes tab.
A Very Large Query Response pop-up will display if the number of the routes filtered exceeds , . You can filter by subnet, cancel, or continue waiting to help mitigate this issue.
NOTE: If the number of the routes filtered is greater than , the following pop-up will display.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Segment
The segments you have configured on the Routing Segmentation tab are listed in the Segment field. A er you specify the segment, the Routes table displays only the routes belonging to that segment.
The following information is displayed for each route listed in the table:
Field Appliance Name Segment Subnet/Mask Next Hop
Interface Zone State Metric
Advertise to Peers
Description
Name of the appliance. Routes displayed belonging to this segment. Actual subnet to be shared or learned. Next hop IP address for the route. A maximum of next-hops are supported per logical interface. Interface for outgoing tra ic. Display only. Firewall zone associated with the route. Shows whether the route is up or down. Metric of the subnet. Value must be between and . When a peer has more than one tunnel with a matching subnet (for example, in a high availability deployment), it chooses the tunnel with the lower numerical value. Select to share subnet information with categories of peers. Select from the following options:
Advertise to Silver Peak Peers
Advertise to BGP Peers
Advertise to OSPF Peers
Peers then learn the subnets.
To add a subnet to the table without divulging it to peers, clear this option.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Type
Additional Info Comment
Description
Indicates one of the following route types:
Auto (System) Automatically added subnets of interfaces on this appliance.
Auto (SaaS) Automatically added subnets from SaaS services.
Added by user Subnets manually added or configured on this appliance.
SP: Hostname Subnets added by exchanging information with peer appliances. If the peer has learned the subnet from a remote BGP or OSPF peer, that information is appended.
<BGP peer Type>: <BGP peer ip> Subnets added by exchanging information with local BGP peers.
OPSF: OPSF neighbor IP Subnets added by exchanging information with local OSPF peers. Indicates any tags for restricting route lookups:
Tag FROM LAN Used to restrict route lookups to tra ic arriving on a LANside interface.
Tag FROM WAN Used to restrict route lookups to tra ic arriving on a WANside interface. Any additional information you would like to include.
To edit a route, select the edit icon in the Routes table.
Route Table Lookup Criteria Each Route table has lookup criteria that is used in the following order:
· Longest Prefix Match · Route Table admin distance of the source protocol (lower the better) · Metric (lower the better) · Use peer priority (if configured) as a tie-breaker
If there are two or more routes that match all the above criteria, use multiple routes.
Admin Distance Configuration You can configure the admin distance by using the Admin Distance template on the Templates tab. The default settings in this template determine the most reliable route with the use of admin distance. See the table below for the various default admin distances per route type.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Route Type
Local SD-WAN Fabric - Static SD-WAN Fabric - BGP SD-WAN Fabric - OSPF eBGP OSPF iBGP
Default Admin Distance
Navigate to the BGP and OSPF tabs for more information about applying or configuring your route maps.
Edit or Add Routes
The following table describes the elements in the Routes dialog box. They represent various features you can apply to your route.
Field Automatically advertise local LAN subnets
Automatically advertise local WAN subnets
Metric for automatically added routes
Redistribute routes to SD-WAN fabric
Filter routes from SD-WAN fabric with matching local ASN Include BGP local ASN to routes sent to SD-WAN fabric
Description
Indicates whether the system-created LAN subnets of your appliance should be advertised to your peers.
Indicates whether the system-created local WAN subnets of your appliance should be advertised to your peers.
Metric assigned to subnets of interfaces on this appliance. Specify a value from to . The default value is . When a peer has more than one tunnel with a matching subnet (for example, in a high-availability deployment), it chooses the tunnel with the lower metric value.
Route redistribution map for the SD-WAN fabric. Click the edit icon next to this field and specify the appropriate route redistribution map.
Indicates whether to filter routes from the SD-WAN fabric with matching local Autonomous System Number (ASN).
Indicates whether all routes must carry local ASN over subnet sharing to remote EdgeConnect peers.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Tag BGP communities to routes
Communities Use SD-WAN fabric learned routes Enable Equal Cost Multi Path (ECMP)
Description
Send the specified communities with routes that are advertised to both SD-WAN fabric peers and BGP peers, if the routes are learned from any of the following source protocols:
Local/Static
SD-WAN (Local/Static)
SD-WAN (BGP)
SD-WAN (OSPF)
If you select this option, enter the BGP communities you want to be tagged in the field.
BGP communities to share. A community must be
a combination of two numbers ( to
)
separated by a colon. For multiple communities,
use a comma to separate them. You can have up
to nine communities per route shared with subnet
sharing. Subnet sharing is the protocol used to
exchange routes between EdgeConnect
appliances across the SD-WAN fabric.
Indicates whether to use SD-WAN fabric learned routes.
Indicates whether you want to enable Equal Cost Multi-Path routing support.
AR
Use the Add Routes dialog box to add a user-defined route to an appliance's route table. . In the Routes dialog box, click Add Routes. The Add Route dialog box opens. . Configure the following elements as needed.
Field Subnet/Mask Next Hop
Interface
Zone
Description
Subnet IP address and mask (for example, . . . / ).
Next hop IP address for the route. If you specify a next hop, you cannot select a zone for the route. (Optional) Interface for outgoing tra ic. Click in the field and select the appropriate interface. If you specify an interface, you cannot select a zone for the route. (Optional) Firewall zone to apply to the route. Select the appropriate firewall zone from the drop-down list. Initially, this field is set to Default. If you specify a next hop or an interface, you cannot select a zone for the route; the field automatically sets to None and cannot be changed. (Optional)
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Metric Tag
Comments
Description
Metric for the subnet. Specify a value from to . When a peer has more than one tunnel with a matching subnet (for example, in a high-availability deployment), it chooses the tunnel with the lower metric value. The default value is . Tag for restricting route lookups. It is primarily used to filter routes from being redistributed in a routing loop. Select one of the following options from the drop-down list:
ANY Allows route lookups for tra ic arriving on a LAN-side or WAN-side interface.
FROM_LAN Restricts route lookups to tra ic arriving on a LAN-side interface.
FROM_WAN Restricts route lookups to tra ic arriving on a WAN-side interface. Additional information you want to provide about this route. (Optional)
. Click Add.
Import Subnets
Do the following to import route details from a CSV file into the selected appliance. . Click Choose File. . Locate and select the CSV file on your local machine, and then click Open. . Click Import. Orchestrator imports the information from the selected file and the Routes table displays new or updated route details.
SD-WAN Fabric Route Redistribution Maps
Route Maps are policies that can be applied to static, OSPF, BGP, and SD-WAN fabric learned routes. These policies have match and set criteria. A route map is applied to the routes during the route redistribution between routing protocols and allows for filtering routes or modifying route attributes. Maximum allowed amounts for SD-WAN route maps and rules per route map:
· You can specify up to SD-WAN route maps. · You can apply up to rules per route map.
You can add, delete, rename, or clone route maps using this window. You can add rules to your route map to further specify routing protocols by clicking Add Rule. Use rules to allow or deny routes based on numerous matching criteria. NOTE: Prefix match criteria is "exact match + less than". Both the prefix specified and any subnets of that prefix will be matched. This behavior will be updated in a future release to allow for selection of "exact," "greater than," or "less than" criteria.
To permit a default-route, deny . . . / , deny . . . / , and then permit any.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
You can specify the following fields in each rule for the selected route map. Priority
Field Priority
Description
If you are using Orchestrator templates to add rules, Orchestrator will delete all
entries from
before applying its policies.
You can create rules with higher priority than Orchestrator rules ( ) and rules
with lower priority (
and
).
NOTE: The priority range from
to
is reserved for Orchestrator.
When adding a rule, the priority is incremented by from the previous rule. The priority can be changed, but this default behavior helps to ensure you can insert new rules without having to change subsequent priorities.
Select Match Criteria
Source Protocol Local/Static BGP
OSPF
Complete the Following Fields (based on protocol selected) Prefix Prefix
BGP Communities Prefix
OSPF Tag
NOTE: The above fields in the right column will change depending on the source protocol chosen. Set Actions
Field Permit OSPF Tag
Metric Comment
Description
Enable or disable. This setting allows or denies the route map. Value of OSPF tag to set in routing information sent to destination.
NOTE: This field is displayed only if Source Protocol is set to OSPF. Metric for the route. Comment you want to include.
OSPF Tab
Configuration > Networking > Routing > OSPF This tab manages OSPF (Open Shortest Path First) on LAN and WAN interfaces.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
OSPF learns routes from routing peers, and then subnet shares them with EdgeConnect peers and/or BGP neighbors.
A route tag is applied to a route to better identify the source of the network it originated from. It is primarily used to filter routes from being redistributed in a routing loop.
Field Appliance Name Enable
Router ID
Redistribute Routes to OSPF Details
Description
Name of the appliance. [Route Metric] Cost associated with a route. The higher the value, the less preferred. This router identifier is the IPv address by which the remote peer can identify this appliance for purposes of OSPF. Redistribution map being used to redistribute routes to OSPF. Any additional details about your route.
Select the edit icon in the OSPF table to edit and enable OSPF.
OSPF Edit Row
Use this page to manage OSPF (Open Shortest Path First) on LAN and WAN interfaces. OSPF learns routes from routing peers, and then subnet shares them with EdgeConnect peers and/or BGP neighbors.
Field Enable OSPF Router ID
Redistribute routes to OSPF
Description
When enabled, the appliance has access to use the OSPF protocol.
IPv address of the router that the remote peer uses to identify the appliance for purposes of OSPF. Redistributing routes into OSPF from other routing protocols or from static will cause these routes to become OSPF external routes. Select the edit icon to the le of this field and select the OSPF route redistribution maps you would like to select.
To add an additional interface to an OSPF route, click Add in the Interfaces section.
To configure or modify an OSPF route map, select the edit icon next to the Redistribute routes to OSPF field.
Add Interface
Complete the following fields to add an interface to OSPF.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Interface Area ID
Cost Priority Admin Status Hello Interval Dead Interval Transmit Delay Retransmit Interval Authentication
Comment
Description
Indicates whether a Backup Designated Router (BDR) is specified for the Designated Router (DR). Options are Yes or No. Number of the area in which to locate the interface. The Area ID is the same for all interfaces.
It can be an integer between and similar to an IP address, A.B.C.D.
, or it can take a form
The cost of an interface in OSPF is an indication of the overhead required to send packets across a certain interface. It is used in the OSPF path calculation to determine link preference.
Router priority. (If two or more best routes are subnet shared, peer priority is used as the tie-breaker.)
Indicates whether the interface is set to admin UP or DOWN.
Specifies the length of time, in seconds, between the hello packets that a router sends on an OSPF interface.
Number of seconds that a router's Hello packets have not been seen before its neighbors declare the OSPF router down.
Number of seconds required to transmit a link state update packet. Valid
values are to
.
Amount of time (in seconds) the router will wait to send retransmissions if the router receives no acknowledgment.
None No authentication.
Text Simple password authentication allows a password (key) to be configured per area.
MD Message Digest authentication is a cryptographic authentication. A key (password) and key-id are configured on each router. The router uses an algorithm based on the OSPF packet, the key, and the key-id to generate a "message digest" that gets appended to the packet.
Any information you want to include for your own use.
OSPF Route Redistribution Maps
Route Maps are policies that can be applied to static, OSPF, BGP, and SD-WAN fabric learned routes. These policies have match and set criteria. A route map is applied to routes during route redistribution between routing protocols and allows for filtering routes or modifying route attributes. Maximum allowed amounts for OSPF route maps and rules per route map:
· You can specify up to OSPF route maps. · You can apply up to rules per route map.
You can add, delete, rename, or clone route maps using this window. You can add rules to your route map to further specify routing protocols by clicking Add Rule. Use rules to allow or deny routes based on numerous matching criteria.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
NOTE: Prefix match criteria is "exact match + less than". Both the prefix specified and any subnets of that prefix will be matched. This behavior will be updated in a future release to allow for selection of "exact," "greater than," or "less than" criteria.
To permit a default-route, deny . . . / , deny . . . / , and then permit any. You can specify the following fields in each rule for the selected route map. Priority
Field Priority
Description
If you are using Orchestrator templates to add rules, Orchestrator will delete all
entries from
before applying its policies.
You can create rules with higher priority than Orchestrator rules ( ) and rules
with lower priority (
and
).
NOTE: The priority range from
to
is reserved for Orchestrator.
When adding a rule, the priority is incremented by from the previous rule. The priority can be changed, but this default behavior helps to ensure you can insert new rules without having to change subsequent priorities.
Select Match Criteria
Source Protocol Local/Static BGP
SD-WAN Routes
Complete the Following Fields (based on protocol selected) Prefix Prefix
BGP Communities Prefix
BGP Communities
OSPF Tag
NOTE: The above fields in the right column will change depending on the source protocol chosen. Set Actions
Field
Permit OSPF Tag OSPF Metric Type Metric Comment
Description
Enable or disable. This setting allows or denies the route map. Value of OSPF tag to set in routing information sent to destination. Filters redistributed routes to OSPF. Metric for the route. Comment you want to include.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Multicast
Configuration > Networking > Routing > Multicast
Orchestrator supports multicast routing, a method of sending data from a single IP address to a larger group of recipients. This is only supported in Inline Router mode. Orchestrator provides four views of multicast status, each accessible by one of the corresponding buttons at the top of the Multicast tab: Summary, Interfaces, Neighbors, and Routes. Descriptions of fields on the Summary view follow:
Field Appliance Name
Enable Rendezvous Point IP
Description
Name of the appliance (also selected in the le menu) associated with the multicast configuration. Indicates whether multicast is enabled. IP address of the centralized, source router distributing the packet of tra ic to each router involved in multicast.
Click the edit icon to enable or disable multicast, add an interface for multicast, or edit an existing interface.
Multicast Dialog Box
From the Summary, Interfaces, Neighbors, or Routes view on the Multicast tab: . Click the edit icon next to the appliance for which you want to set up multicast. The Multicast dialog box opens. . Move the Enable Multicast toggle to the right to enable multicast. . In the Rendezvous Point IP Address field, enter the appropriate IP address.
Interfaces
Field Interface PIM Enabled
IGMP Enabled DR Priority DR Router IP
Description
Name of the interface you want to connect. Indicates whether Protocol Independent Multicast is enabled. This allows routers to communicate through the unidirectional shared trees within multicast through the shortest path. Indicates whether Internet Group Management Protocol is enabled. This establishes the other routers in the multicast group. Designated router priority of the given interface. IP address of the designated router within your network.
To add an interface: . Click Add. The Add Interface dialog box opens.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
. Select the desired interface from the Interface drop-down list. . Select the Enable PIM check box if you want to enable it. . Select the Enable IGMP check box if you want to enable it. . Click Add.
Neighbors
Field
Interface Neighbor DR Priority Neighbor IP
Description
Name of the interfaces you want to connect. Designated router priority of the neighbor. IP address of the neighbor.
Routes
Field
Source Group Incoming Interface Outgoing Interfaces
Description
Transmitter of the multicast data. IP address of the multicast group. Interface that receives inbound tra ic. Interface that receives outbound tra ic.
On the Multicast tab, you can click Export to export an excel file of the multicast report. You can also click the refresh button to update information displayed on the tab.
Peer Priority Tab
Configuration > Networking > Routing > Peer Priority When an appliance receives a Subnet with the same Metric from multiple remote/peer appliances, it uses the Peer Priority list as a tie-breaker.
· If a Peer Priority is not configured, the appliance randomly distributes flows among multiple peers.
· The lower the number, the higher the peer's priority.
Click the edit icon to configure a peer and its peer priority.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
NOTE: By default, the peer priority range starts at .
Peer Priority Edit Row
This dialog box displays a list of configured peers. The peer priority and advertise metric are displayed for each peer.
· Peer priority controls the peer to which tra ic is sent when route ties occur. It acts similar to BGP's local preference.
· Advertise metric controls the return path of a flow back toward the local appliance. It adjusts the metric of all routes sent to Peer Name. Advertise metric announces di erent metrics to di erent fabric peers. It acts similar to BGP's Multi Exit Discriminator (MED). The default setting is preserve existing (do nothing).
Both peer priority and advertise metric impact all routes sent and received from Peer Name. To add a peer:
. Click Add Peer. . In the new row that is added to the table, enter the peer name, peer priority, and advertise
metric. . To delete a peer, click the X in the far-right column of the peer's row.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . . . When finished, click Apply.
January ,
Admin Distance Tab
Configuration > Networking > Routing > Admin Distance
This tab shows values associated with various types of Admin Distance. Admin Distance (AD) is the route preference value assigned to dynamic routes, static routes, and directly connected routes. When the appliance's Routes table has multiple routes to the same destination, the appliance uses the route with the lowest administrative distance. The following table displays the values associated with various types of Admin Distance.
Field Appliance Name Local
EBGP
IBGP
Subnet Shared - Static Routes Subnet Shared - BGP Remote OSPF Subnet Shared - OSPF Remote
Description
Name of the appliance. Manually configured route, or one learned from locally connected subnets. External BGP: exchanging routing information with a router outside the company-wide network. Internal BGP: exchanging routing information with a router inside the company-wide network. Route learned from an EdgeConnect peer. Route shared from an EdgeConnect peer in an external network. Route learned from an OSPF (Open Shortest Path First) neighbor. Route learned from an EdgeConnect peer.
To edit these fields, click the edit icon.
Admin Distance Edit Row
Use this dialog box to edit the admin distances for each type in the table. Click any cell in the Distance column to begin modifying the values. When finished, click Apply.
Management Routes Tab
Configuration > Networking > Routing > Management Routes Use this tab to configure next-hops for management interfaces.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· Management routes specify the default gateways and local IP subnets for the management interfaces.
· In a Dual-Homed Router Mode configuration, you might need to add a static management route for flow redirection between appliances paired for redundancy at the same site.
· The management routes table shows the configured static routes and any dynamically created routes. If you use DHCP, the appliance automatically creates appropriate dynamic routes. A user cannot delete or add dynamic routes.
· If the Source IP is listed as . . . , packets sent using this route use the Interface's IP address as the Source IP address. If the Source IP lists a specific IP address, that IP address is used instead.
Tunnels Tab
Configuration > Networking > Tunnels > Tunnels Use this tab to view, edit, add, or delete tunnels. Separate tables are provided for Overlay, Underlay, and Passthrough tunnels. If you have deployed an SD-WAN network, Business Intent Overlays (BIOs) govern tunnel creation and properties. Overlay tunnels consist of bonded underlay tunnels. Status: You can also filter by the following statuses: All, Up, or Down.
Add a Tunnel Complete the following fields to add a tunnel to an overlay or passthrough tunnel.
Field
Appliance Segment Overlay Tunnel
Description
Name of the selected appliance. Name of the segment, if enabled. Designated overlay tunnel.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Overlay Admin Status Status
MTU Uptime Underlay Tunnels
Description
Tunnels are applied to this designated overlay. Indicates whether the tunnel has been set to admin Up or Down. Indications are as follows:
Down The tunnel is down. This can be because the tunnel administrative setting is down or the tunnel cannot communicate with the appliance at the other end. Possible causes are:
Lack of end-to-end connectivity / routability (test with iperf ).
Intermediate firewall is dropping the packets (open the firewall).
Intermediate QoS policy (be packets are being starved. Change control packet DSCP marking).
Mismatched tunnel mode (udp / gre / ipsec / ipsec_udp).
IPSec is misconfigured: ( ) enabled on one side (see show int tunnel configured), or mismatched pre-shared key.
Down - In progress The tunnel is down. Meanwhile, the appliance is exchanging control information with the appliance at the other end, trying to bring up the tunnel.
Down - Misconfigured The two appliances are configured with the same System ID (see show system).
Up - Active The tunnel is up and active. Tra ic destined for this tunnel will be forwarded to the remote appliance.
Up - Active - Idle The tunnel is up and active, but it has not had recent activity in the past five minutes, and it has slowed the rate of issuing keep-alive packets.
Up - Reduced Functionality The tunnel is up and active, but the two endpoint appliances are running mismatched so ware releases that give no performance benefit.
UNKNOWN The tunnel status is unknown. This can be because the appliance is unable to retrieve the current tunnel status. Try again later. Maximum Transmission Unit. The largest possible unit of data that can be sent on a given physical medium. MTUs up to bytes are supported. Auto allows the tunnel MTU to be discovered automatically. It overrides the MTU setting. How long since the tunnel has been up. Designated underlay tunnel.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Live View
Historical Charts
Description
Live view of the status of your selected tunnel. You can view by bandwidth, loss, jitter, latency, MOS, chart, traceroute, inbound or outbound, and lock the scale. A display of the historical charts for the selected appliance.
T
. Have you created and applied the Overlay to all the appliances on which you are expecting tunnels to be built?
Verify this on the Apply Overlays tab.
. Are the appliances on which you are expecting the Overlays to be built using Release . or later?
View the active so ware releases on Administration > So ware > Upgrade > So ware Versions.
. Do you have at least one WAN Label selected as a Primary port in the Overlay Policy?
Verify this on the Business Intent Overlay tab in the WAN Links & Bonding Policy section.
. Are the same WAN labels selected in the Overlay assigned to the WAN interfaces on the appliances?
Verify that at least one of the Primary Labels selected in the Business Intent Overlay is identical to a Label assigned on the appliance's Deployment page. Tunnels are built between matching Labels on all appliances participating in the overlay.
. Do any two (or more) appliances have the same Site Name?
We __*only__* assign the same Site Name if we do not want those appliances to connect directly. To view the list of Site Names, navigate to the Configuration > Networking > Tunnels > Tunnels tab, and then click Sites at the top.
UP
T
You would add a passthrough tunnel under the following circumstances:
· For internet breakout to a trusted SaaS application, like O ice · For service chaining to a cloud security service, like Zscaler or Symantec
This requires building secure and compatible third-party IPSec tunnels from EdgeConnect devices to non-EdgeConnect devices in the data center or cloud.
When you create the tunnel, the Service Name in the Business Intent Overlay's Internet Tra ic Policies must exactly match the Peer/Service specified in the Passthrough tunnel configuration.
To load balance, create two or more passthrough IPSec tunnels and, in the Business Intent Overlay, ensure that they all specify the same Service Name in the Internet Tra ic Policies.
Tunnels Edit Row
Use this dialog box to view, edit, or delete tunnels. Separate tables are provided for Overlay, Underlay, and Passthrough tunnels.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
If you have deployed an SD-WAN network, Business Intent Overlays (BIOs) govern tunnel creation and properties. Overlay tunnels consist of bonded underlay tunnels.
UP
T
You would add a passthrough tunnel under the following circumstances:
· For internet breakout to a trusted SaaS application, like O ice · For service chaining to a cloud security service, like Zscaler or Symantec
This requires building secure and compatible third-party IPSec tunnels from EdgeConnect devices to non-EdgeConnect devices in the data center or cloud.
When you create the tunnel, the Service Name in the Business Intent Overlay's Internet Tra ic Policies must exactly match the Peer/Service specified in the Passthrough tunnel configuration.
To load balance, create two or more passthrough IPSec tunnels and, in the Business Intent Overlay, ensure that they all specify the same Service Name in the Internet Tra ic Policies.
AT Complete the following steps to add a tunnel to an underlay or passthrough tunnel.
. Select Underlay or Passthrough. . Select Add Tunnel.
The Add Tunnel dialog box opens. . Complete the following fields for either underlay or passthrough tunnels.
Underlay - Add Tunnel General
Field Alias Mode Admin Local IP Remote IP Auto discover MTU enabled
MTU
Auto max BW enabled
Max BW Kbps UDP destination port
Description
Alias name of the tunnel.
Indicates whether the tunnel protocol is UDP, GRE, or IPSec.
Indicates whether the tunnel has been set to admin Up or Down.
Local ID address.
Remote IP address.
When enabled, allows the appliances to auto-negotiate the maximum tunnel bandwidth. Maximum Transmission Unit (MTU) is the largest possible unit of data that can be sent on a given physical medium. For example, the MTU of Ethernet is bytes. MTUs up to bytes are supported. Auto allows the tunnel MTU to be discovered automatically, and it overrides the MTU setting. When enabled, allows the appliances to auto-negotiate the maximum tunnel bandwidth. Maximum amount of bandwidth in kbps.
Used in UDP mode. Accept the default value unless the port is blocked by a firewall.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field UDP flows Min BW Kbps
Description
Used in UDP mode. Number of flows over which to distribute tunnel data. Minimum amount of bandwidth measured in Kbps.
Packet Field Reorder wait
FEC FEC ratio
Description
Maximum time the appliance holds an out-of-order packet when attempting to reorder. ms is the default value and should be adequate for most situations. FEC can introduce out-of-order packets if the reorder wait time is not set high enough. Forward Error Correction (FEC) can be set to enable, disable, or auto.
When FEC is set to auto, this specifies the maximum ratio. The options are : , : , : , or : .
Tunnel Health
Field Retry count DSCP
Description
Number of failed keep-alive messages that are allowed before the appliance brings the tunnel down. Determines the DSCP marking that the keep-alive messages should use.
FastFail Thresholds
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
Field Fastfail enabled
January ,
Description
When multiple tunnels are carrying data between two appliances, this feature determines how quickly to disqualify a tunnel from carrying data.
The Fastfail connectivity detection algorithm for the wait time from receipt of last packet before declaring a brownout is:
Twait = Base + N * RTTavg
where Base is a value in milliseconds, and N is the multiplier of the average Round Trip Time over the past minute.
For example, if:
Base = 200mSN = 2
Then,
RTTavg = 50mS
The appliance declares a tunnel to be in brownout if it does not see a reply packet from the remote end within mS of receiving the most recent packet.
In the Tunnel Advanced Options, Base is expressed as Fastfail wait-time base o set (ms), and N is expressed as Fastfail RTT multiplication factor.
Fastfail enabled This option is triggered when a tunnel's keepalive signal does not receive a reply. The options are disable, enable, and continuous. If the disqualified tunnel subsequently receives a keepalive reply, its recovery is instantaneous.
If set to disable, keepalives are sent every second, and seconds elapse before failover. In that time, all transmitted data is lost.
If set to enable, keepalives are sent every second, and a missed reply increases the rate at which keepalives are sent from one per second to ten per second. Failover occurs a er one second.
When set to continuous, keepalives are continuously sent at ten per second. Therefore, failover occurs a er one tenth of a second.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Latency
Loss Jitter Fastfail wait-time base o set Fastfail RTT multiplication factor
Description
Amount of latency measure in MS. Thresholds for Latency, Loss, or Jitter are checked once every second.
Receiving three successive measurements in a row that exceed the threshold puts the tunnel into a brownout situation and flows will attempt to fail over to another tunnel within the next mS.
Receiving three successive measurements in a row that drop below the threshold will drop the tunnel out of brownout. Amount of data lost measured in percent. Amount of jitter measured in MS. Fastfail basic timeout time. Amount of RTT (Round Trip Time) added to the basic timeout.
Passthrough - Add Tunnel Some settings are set to default, as listed in the screen shot below. For the remaining options, see the following table.
General
Field
Alias Mode Admin Local IP Remote IP NAT Peer/Service Auto max BW enabled Max BW Kbps
Description
Alias name of the tunnel. Indicates whether the tunnel protocol is UDP, GRE, or IPSec. Indicates whether the tunnel has been set to admin Up or Down. Local ID address. Remote IP address. Whether NAT has been applied. Enter the peer/service being used. Select whether the auto max BW is enabled. Maximum amount of bandwidth in Kbps.
IKE
Access the following fields by clicking the IKE tab. This tab is displayed only if the Mode field on the General tab is set to IPSec.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
IKE
Field Pre-shared key Authentication algorithm Encryption algorithm Di ie-Hellman group Rekey interval/lifetime Dead peer detection
IKE identifier Phase mode IKE version
Description
Pre-shared key used for IKE authentication. Authentication algorithm used for IKE SA. Encryption algorithm used for IKE SA. Di ie-Hellman Group used for IKE SA negotiation. Rekey interval/lifetime of IKE SA. Delay time: The interval to check the lifetime of the IKE peer.
Retry count: The number of times to retry the connection before determining that the connection is dead. ID of the IKE tunnel. Exchange mode for the IKE SA negotiation. Select IKE v or IKE v .
IPSec
Access the following fields by clicking the IPSec tab. This tab is displayed only if the Mode field on the General tab is set to IPSec.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
IPSec Field Authentication algorithm Encryption algorithm IPSec anti-replay window
Rekey interval/lifetime Perfect forward secrecy group
Description
Authentication algorithm used for the IPSec SA. Encryption algorithm used for the IPSec SA. Select a size from the drop-down list or Disable to disable the IPSec anti-replay window.
If a size is selected, protection is provided against an attacker duplicating encrypted packets by assigning a unique sequence number to each encrypted packet. Rekey interval/lifetime of the IPSec SA. Di ie-Hellman group used for IPSec SA negotiation.
. Click Save.
Tunnel Exception
Configuration > Networking > Tunnels > Tunnel Exception Orchestrator includes a tunnel exception feature that enables you to specify tunnel transactions between overlays. There are two ways you can enable this feature in Orchestrator. You can configure tunnel exceptions through the Tunnel Exception tab.
. Select the two appliances that you do not want connected via a tunnel. . Enter the Interface Labels.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
The interface label can be any type of connection, such as any, MPLS, Internet, or LTE. Specifying the label excludes appliances within a given network to communicate with that particular appliance.
NOTE: Use the description field to add a comment if you want to indicate why you are adding an exception.
Schedule Auto MTU Discovery
Configuration > Networking > Tunnels > Auto MTU Discovery Use this dialog box to schedule when to discover Auto MTU.
Configuration > Policies
The options under Configuration > Policies focus on managing access lists and policies.
DNS Proxy Policies
Configuration > Networking > DNS Proxy
The DNS (Domain Name Server) Proxy stores public IP addresses with their associated domain name. Server A is used primarily as a private DNS to backhaul tra ic and Server B is used to match all other domains that are not included under Server A. Server B is also used for public (cloud services) to breakout tra ic. See the table below for the field descriptions on this tab.
Field
Appliance Name DNS Proxy Enabled Interface Server A Addresses Server A Domains Server A Caching Server B Addresses Server B Domains Server B Caching
Description
Name of the appliance associated with DNS proxy. Whether the DNS Proxy is enabled. Select True or False. Name of the interface associated with the DNS proxy. IP addresses of Server A. Domain addresses of Server A. Whether you configured the server to be cached. IP addresses of Server B. Domain addresses of Server B. Whether you configured the server to be cached.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Configure DNS Proxy Policies
Complete the following steps to configure and define your DNS Proxy policies. NOTE: This feature is only configurable if you have loopback interfaces configured.
. Choose whether you want to enable the DNS Proxy by selecting ON or OFF. . Select the name of the loopback interface or the LAN-side label associated with your DNS proxy. . Enter the IP addresses for Server A in the Server A Addresses field. . Choose whether you want caching to be ON or OFF. If selected, the domain name to the IP
address mapping is cached. By default, caching is ON. . Enter the domain names of the Server A for the above IP addresses. . Enter Server B IP addresses in the Server B Addresses field. Server B will be used if there are
no matches to the Server A domains.
NOTE: You can Clear DNS Cache. This will erase the domain name to the IP address mapping you had cached for both Server A and B.
Route Policies Tab
Configuration > Templates & Policies > Policies > Route Policies The Route Policies report displays the route policy entries that exist on the appliance(s). This includes the appliance-based defaults, entries applied manually (via the Appliance Manager or CLI), and entries that result from applying an Orchestrator Route Policies template, or applying Business Intent Overlays (if you are deploying an SD-WAN). Each appliance's default behavior is to auto-optimize all IP tra ic, automatically directing flows to the appropriate tunnel. Auto-optimization strategies reduce the need to create explicit route map entries for optimization. The three strategies provided are TCP-based auto-opt, IP-based auto-opt, and subnet sharing. By default, all three are enabled on the Templates tab, under System. The Route Policy only requires entries for flows that are to be:
· Sent pass-through (shaped or unshaped) · Dropped · Configured for a specific high-availability deployment · Routed based on application, VLAN, DSCP, or ACL (Access Control List)
You might also want to create a Route Policy entry when multiple tunnels exist to the remote peer, and you want the appliance to dynamically select the best path based on one of these criteria:
· Load balancing · Lowest loss · Lowest latency · Specified tunnel
Manage these instances on the Templates tab, or select the Edit icon to manage Routing policies directly for a particular appliance. If you are deploying an SD-WAN network and setting up Internet breakout from the branch, you must create manual route policy entries for sanctioned SaaS applications or Guest WiFi.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
P
· If you are using Orchestrator templates to add rules, Orchestrator will delete all entries from
before applying its policies.
· You can create rules with higher priority than Orchestrator rules ( ) and rules with lower
priority (
and
).
NOTE: The priority range from
to
is reserved for Orchestrator.
· When adding a rule, the priority is incremented by from the previous rule. The priority can be changed, but this default behavior helps to ensure you can insert new rules without having to change subsequent priorities.
MC
· These are universal across all policy maps--Route, QoS, Optimization, NAT (Network Address Translation), and Security.
· If you expect to use the same match criteria in di erent maps, you can create an ACL (Access Control List), which is a named, reusable set of rules. For e iciency, create them in Configuration > Templates & Policies > ACLs > Access Lists, and apply them across appliances.
· The available parameters are Application, Address Map (for sorting by country, IP address owner, or SaaS application), Domain, Geo Location, Interface, Protocol, DSCP, IP/Subnet, Port, and Tra ic Behavior.
· To specify di erent criteria for inbound versus outbound tra ic, select the Source:Dest check box.
S
D
· An IP address can specify a subnet; for example, . . . / (IPv ) or fe :: : :fed : ba / (IPv ).
· To allow any IP address, use . . . / (IPv ) or ::/ (IPv ). · Ports are available only for the protocols tcp, udp, and tcp/udp. · To allow any port, use .
W
-
PM
· When using a range or a wildcard, the IPv address must be specified in the -octet format, separated by the dot notation. For example, A.B.C.D.
· Range is specified using a dash. For example, - .
· Wildcard is specified as an asterisk (____*).
· Range and Wildcard can both be used in the same address, but an octet can only contain one or the other. For example, . - .*. - .
· A wildcard can only be used to define an entire octet. For example, . *.*. - is not supported. The correct way to specify this range is . - .*. - .
· The same rules apply to IPv addressing.
· CIDR notation and (Range or Wildcard) are mutually exclusive in the same address. For example, use either . . . / or . . . - .
· These prefix-matching rules only apply to the following policies: Router, QoS, Optimization, NAT, Security, and ACLs.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Route Policies Edit Row
The Route Policies report displays the route policy entries that exist on the appliance(s). This includes the appliance-based defaults, entries applied manually (via the Appliance Manager or CLI), and entries that result from applying an Orchestrator Route Policies template, or applying Business Intent Overlays (if you are deploying an SD-WAN). Each appliance's default behavior is to auto-optimize all IP tra ic, automatically directing flows to the appropriate tunnel. Auto-optimization strategies reduce the need to create explicit route map entries for optimization. The three strategies provided are TCP-based auto-opt, IP-based auto-opt, and subnet sharing. By default, all three are enabled on the Templates tab, under System. The Route Policy, then, only requires entries for flows that are to be:
· Sent pass-through (shaped or unshaped) · Dropped · Configured for a specific high-availability deployment · Routed based on application, VLAN, DSCP, or ACL (Access Control List)
You might also want to create a Route Policy entry when multiple tunnels exist to the remote peer, and you want the appliance to dynamically select the best path based on one of these criteria:
· Load balancing · Lowest loss · Lowest latency · Specified tunnel
Manage these instances on the Templates tab, or click the Edit icon to manage Route policies directly for a particular appliance. If you are deploying an SD-WAN network and setting up Internet breakout from the branch, you must create manual route policy entries for sanctioned SaaS applications or Guest WiFi.
P
· If you are using Orchestrator templates to add rules, Orchestrator will delete all entries from
before applying its policies.
· You can create rules with higher priority than Orchestrator rules ( ) and rules with lower
priority (
and
).
NOTE: The priority range from
to
is reserved for Orchestrator.
· When adding a rule, the priority is incremented by from the previous rule. The priority can be changed, but this default behavior helps to ensure you can insert new rules without having to change subsequent priorities.
MC
· These are universal across all policy maps--Route, QoS, Optimization, NAT (Network Address Translation), and Security.
· If you expect to use the same match criteria in di erent maps, you can create an ACL (Access Control List), which is a named, reusable set of rules. For e iciency, create them in Configuration > Templates & Policies > ACLs > Access Lists, and apply them across appliances.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· The available parameters are Application, Address Map (for sorting by country, IP address owner, or SaaS application), Domain, Geo Location, Interface, Protocol, DSCP, IP/Subnet, Port, and Tra ic Behavior.
· To specify di erent criteria for inbound versus outbound tra ic, select the Source:Dest check box.
S
D
· An IP address can specify a subnet; for example, . . . / (IPv ) or fe :: : :fed : ba / (IPv ).
· To allow any IP address, use . . . / (IPv ) or ::/ (IPv ). · Ports are available only for the protocols tcp, udp, and tcp/udp. · To allow any port, use .
W
-
PM
· When using a range or a wildcard, the IPv address must be specified in the -octet format, separated by the dot notation. For example, A.B.C.D.
· Range is specified using a dash. For example, - .
· Wildcard is specified as an asterisk (____*).
· Range and Wildcard can both be used in the same address, but an octet can only contain one or the other. For example, . - .*. - .
· A wildcard can only be used to define an entire octet. For example, . *.*. - is not supported. The correct way to specify this range is . - .*. - .
· The same rules apply to IPv addressing.
· CIDR notation and (Range or Wildcard) are mutually exclusive in the same address. For example, use either . . . / or . . . - .
· These prefix-matching rules only apply to the following policies: Router, QoS, Optimization, NAT, Security, and ACLs.
QoS Policies Tab
Configuration > Templates & Policies > Policies > QoS Policies
QoS Policy determines how flows are queued and marked. The QoS Policies tab displays the QoS policy entries that exist on the appliances. This includes the appliance-based defaults, entries applied manually (via the Appliance Manager or CLI), and entries that result from applying an Orchestrator QoS Policy template or Business Intent Overlay. Use the Shaper to define, prioritize, and name tra ic classes. Think of it as the Shaper defines and the QoS Policy assigns. Use the Templates tab to create and manage QoS policies for multiple appliances, or click the Edit icon to manage QoS Policies directly for a particular appliance.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
The QoS Policy's SET actions determine two things:
· To what tra ic class a shaped flow--optimized or pass-through--is assigned · Whether to trust incoming DSCP markings for LAN QoS and WAN QoS, or to remark them as they
leave for the WAN
H
M DSCP P
· DSCP markings specify end-to-end QoS policies throughout a network.
· The default values for LAN QoS and WAN QoS are trust-lan.
A DSCP M
O
(T
)T
· The appliance encapsulates optimized tra ic. This adds an IP outer header to packets for travel across the WAN. This outer header contains the WAN QoS DSCP marking.
· LAN QoS The DSCP marking applied to the IP header before encapsulation.
· WAN QoS The DSCP marking in the encapsulating outer IP header. The remote appliance removes the outer IP header.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
A DSCP M
P-
T
· The appliance applies the QoS Policy's DSCP markings to all pass-through flows--shaped and unshaped.
· Pass-through tra ic does not receive an additional header, so it is handled di erently:
The Optimization Policy's LAN QoS Set Action is ignored.
The specified WAN QoS marking replaces the packet's existing LAN QoS DSCP marking.
When the packet reaches the remote appliance, it retains the modified QoS setting as it travels to its destination.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
P
· If you are using Orchestrator templates to add rules, Orchestrator will delete all entries from
before applying its policies.
· You can create rules with higher priority than Orchestrator rules ( ) and rules with lower
priority (
and
).
NOTE: The priority range from
to
is reserved for Orchestrator.
· When adding a rule, the priority is incremented by from the previous rule. The priority can be changed, but this default behavior helps to ensure you can insert new rules without having to change subsequent priorities.
MC
· These are universal across all policy maps--Route, QoS, Optimization, NAT (Network Address Translation), and Security.
· If you expect to use the same match criteria in di erent maps, you can create an ACL (Access Control List), which is a named, reusable set of rules. For e iciency, create them in Configuration > Templates & Policies > ACLs > Access Lists, and apply them across appliances.
· The available parameters are Application, Address Map (for sorting by country, IP address owner, or SaaS application), Domain, Geo Location, Interface, Protocol, DSCP, IP/Subnet, Port, and Tra ic Behavior.
· To specify di erent criteria for inbound versus outbound tra ic, select the Source:Dest check box.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
S
D
· An IP address can specify a subnet; for example, . . . / (IPv ) or fe :: : :fed : ba / (IPv ).
· To allow any IP address, use . . . / (IPv ) or ::/ (IPv ). · Ports are available only for the protocols tcp, udp, and tcp/udp. · To allow any port, use .
W
-
PM
· When using a range or a wildcard, the IPv address must be specified in the -octet format, separated by the dot notation. For example, A.B.C.D.
· Range is specified using a dash. For example, - .
· Wildcard is specified as an asterisk (____*).
· Range and Wildcard can both be used in the same address, but an octet can only contain one or the other. For example, . - .*. - .
· A wildcard can only be used to define an entire octet. For example, . *.*. - is not supported. The correct way to specify this range is . - .*. - .
· The same rules apply to IPv addressing.
· CIDR notation and (Range or Wildcard) are mutually exclusive in the same address. For example, use either . . . / or . . . - .
· These prefix-matching rules only apply to the following policies: Router, QoS, Optimization, NAT, Security, and ACLs.
QoS Policies Edit Row
QoS Policy determines how flows are queued and marked.
The QoS Policies tab displays the QoS policy entries that exist on the appliances. This includes the appliance-based defaults, entries applied manually (via the Appliance Manager or CLI), and entries that result from applying an Orchestrator QoS Policy template or Business Intent Overlay.
Use the Shaper to define, prioritize, and name tra ic classes. Think of it as the Shaper defines and the QoS Policy assigns.
Use the Templates tab to create and manage QoS policies for multiple appliances, or click the Edit icon to directly manage QoS Policies for a particular appliance.
The QoS Policy's SET actions determine two things:
· To what tra ic class a shaped flow--optimized or pass-through--is assigned
· Whether to trust incoming DSCP markings for LAN QoS and WAN QoS, or to remark them as they leave for the WAN
H
M DSCP P
· DSCP markings specify end-to-end QoS policies throughout a network. · The default values for LAN QoS and WAN QoS are trust-lan.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
A DSCP M
O
(T
)T
· The appliance encapsulates optimized tra ic. This adds an IP outer header to packets for travel across the WAN. This outer header contains the WAN QoS DSCP marking.
· LAN QoS The DSCP marking applied to the IP header before encapsulation.
· WAN QoS The DSCP marking in the encapsulating outer IP header. The remote appliance removes the outer IP header.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
A DSCP M
P-
T
· The appliance applies the QoS Policy's DSCP markings to all pass-through flows--shaped and unshaped.
· Pass-through tra ic does not receive an additional header, so it is handled di erently:
The Optimization Policy's LAN QoS Set Action is ignored.
The specified WAN QoS marking replaces the packet's existing LAN QoS DSCP marking.
When the packet reaches the remote appliance, it retains the modified QoS setting as it travels to its destination.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
P
· If you are using Orchestrator templates to add rules, Orchestrator will delete all entries from
before applying its policies.
· You can create rules with higher priority than Orchestrator rules ( ) and rules with lower
priority (
and
).
NOTE: The priority range from
to
is reserved for Orchestrator.
· When adding a rule, the priority is incremented by from the previous rule. The priority can be changed, but this default behavior helps to ensure you can insert new rules without having to change subsequent priorities.
MC
· These are universal across all policy maps--Route, QoS, Optimization, NAT (Network Address Translation), and Security.
· If you expect to use the same match criteria in di erent maps, you can create an ACL (Access Control List), which is a named, reusable set of rules. For e iciency, create them in Configuration > Templates & Policies > ACLs > Access Lists, and apply them across appliances.
· The available parameters are Application, Address Map (for sorting by country, IP address owner, or SaaS application), Domain, Geo Location, Interface, Protocol, DSCP, IP/Subnet, Port, and Tra ic Behavior.
· To specify di erent criteria for inbound versus outbound tra ic, select the Source:Dest check box.
S
D
· An IP address can specify a subnet; for example, . . . / (IPv ) or fe :: : :fed : ba / (IPv ).
· To allow any IP address, use . . . / (IPv ) or ::/ (IPv ). · Ports are available only for the protocols tcp, udp, and tcp/udp. · To allow any port, use .
W
-
PM
· When using a range or a wildcard, the IPv address must be specified in the -octet format, separated by the dot notation. For example, A.B.C.D.
· Range is specified using a dash. For example, - .
· Wildcard is specified as an asterisk (____*).
· Range and Wildcard can both be used in the same address, but an octet can only contain one or the other. For example, . - .*. - .
· A wildcard can only be used to define an entire octet. For example, . *.*. - is not supported. The correct way to specify this range is . - .*. - .
· The same rules apply to IPv addressing.
· CIDR notation and (Range or Wildcard) are mutually exclusive in the same address. For example, use either . . . / or . . . - .
· These prefix-matching rules only apply to the following policies: Router, QoS, Optimization, NAT, Security, and ACLs.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
Schedule QoS Map Activation
Configuration > Templates & Policies > Policies > Schedule QoSMap Activation You can schedule appliances to apply di erent QoS maps at di erent times.
January ,
Before using this option, verify the following: · The desired Template Group has the QoS maps you need. · You have applied the Template Group to the appliances you want to schedule.
TIP: To specify the timezone for scheduled jobs and reports, use the Schedule Timezone window (Orchestrator > So ware & Setup > Setup > Timezone for Scheduled Jobs).
Optimization Policies Tab
Configuration > Templates & Policies > Policies > Optimization Policies The Optimization Policies tab displays the Optimization policy entries that exist on the appliances. This includes the appliance-based defaults, entries applied manually (via the Appliance Manager or CLI), and entries that result from applying an Orchestrator Optimization Policy template or Business Intent Overlay. Use the Templates tab to create and manage Optimization policies, or click the edit icon to manage Optimization policies directly for a particular appliance.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
P
· If you are using Orchestrator templates to add rules, Orchestrator will delete all entries from
before applying its policies.
· You can create rules with higher priority than Orchestrator rules ( ) and rules with lower
priority (
and
).
NOTE: The priority range from
to
is reserved for Orchestrator.
· When adding a rule, the priority is incremented by from the previous rule. The priority can be changed, but this default behavior helps to ensure you can insert new rules without having to change subsequent priorities.
MC
· These are universal across all policy maps--Route, QoS, Optimization, NAT (Network Address Translation), and Security.
· If you expect to use the same match criteria in di erent maps, you can create an ACL (Access Control List), which is a named, reusable set of rules. For e iciency, create them in Configuration > Templates & Policies > ACLs > Access Lists, and apply them across appliances.
· The available parameters are Application, Address Map (for sorting by country, IP address owner, or SaaS application), Domain, Geo Location, Interface, Protocol, DSCP, IP/Subnet, Port, and Tra ic Behavior.
· To specify di erent criteria for inbound versus outbound tra ic, select the Source:Dest check box.
S
D
· An IP address can specify a subnet; for example, . . . / (IPv ) or fe :: : :fed : ba / (IPv ).
· To allow any IP address, use . . . / (IPv ) or ::/ (IPv ). · Ports are available only for the protocols tcp, udp, and tcp/udp. · To allow any port, use .
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
W
-
PM
· When using a range or a wildcard, the IPv address must be specified in the -octet format, separated by the dot notation. For example, A.B.C.D.
· Range is specified using a dash. For example, - .
· Wildcard is specified as an asterisk (____*).
· Range and Wildcard can both be used in the same address, but an octet can only contain one or the other. For example, . - .*. - .
· A wildcard can only be used to define an entire octet. For example, . *.*. - is not supported. The correct way to specify this range is . - .*. - .
· The same rules apply to IPv addressing.
· CIDR notation and (Range or Wildcard) are mutually exclusive in the same address. For example, use either . . . / or . . . - .
· These prefix-matching rules only apply to the following policies: Router, QoS, Optimization, NAT, Security, and ACLs.
SA
Set Action Network Memory
IP Header Compression
Description
Addresses limited bandwidth. This technology uses advanced fingerprinting algorithms to examine all incoming and outgoing WAN tra ic. Network Memory localizes information and transmits only modifications between locations.
Maximize Reduction Optimizes for maximum data reduction at the potential cost of slightly lower throughput and/or some increase in latency. It is appropriate for bulk data transfers such as file transfers and FTP, where bandwidth savings are the primary concern.
Minimize Latency Ensures that Network Memory processing adds no latency. This might come at the cost of lower data reduction. It is appropriate for extremely latency-sensitive interactive or transactional tra ic. It is also appropriate when the primary objective is to fully utilize the WAN pipe to increase the LAN-side throughput, as opposed to conserving WAN bandwidth.
Balanced Is the default setting. It dynamically balances latency and data reduction objectives and is the best choice for most tra ic types.
Disabled Turns o Network Memory. Process of compressing excess protocol headers before transmitting them on a link and uncompressing them to their original state at the other end. It is possible to compress the protocol headers due to the redundancy in header fields of the same packet, as well as in consecutive packets of a packet stream.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Set Action Payload Compression TCP Acceleration
Protocol Acceleration
Description
Uses algorithms to identify relatively short byte sequences that are repeated frequently. These are then replaced with shorter segments of code to reduce the size of transmitted data. Simple algorithms can find repeated bytes within a single packet; more sophisticated algorithms can find duplication across packets and even across flows. Uses techniques such as selective acknowledgments, window scaling, and maximum segment size adjustment to mitigate poor performance on high-latency links.
NOTE: The slow LAN alert goes o when the loss has fallen below % of the specified value configured in the TCP Accel Options dialog box.
For more information, see TCP Acceleration Options. Provides explicit configuration for optimizing CIFS, SSL, SRDF, Citrix, and iSCSI protocols. In a network environment, it is possible that not every appliance has the same optimization configurations enabled. Therefore, the site that initiates the flow (the client) determines the state of the protocol-specific optimization.
TCP Acceleration Options
TCP acceleration uses techniques such as selective acknowledgment, window scaling, and message segment size adjustment to compensate for poor performance on high latency links. This feature has a set of advanced options with default values.
CAUTION: Because changing these settings can a ect service, it is recommended that you do not modify these without direction from Support.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
TCP Acceleration Options
Option
Adjust MSS to Tunnel MTU
Description
Limits the TCP MSS (Maximum Segment Size) advertised by the end hosts in the SYN segment to a value derived from the Tunnel MTU (Maximum Transmission Unit). This is TCP MSS = Tunnel MTU Tunnel Packet Overhead.
This feature is enabled by default so that the maximum value of the end host MSS is always coupled to the Tunnel MSS. If the end host MSS is smaller than the tunnel MSS, the end host MSS is used instead.
Auto Reset Flows
A use case for disabling this feature is when the end host uses Jumbo frames.
NOTE: Whether this feature is enabled or not, the default behavior when a tunnel goes Down is to automatically reset the flows.
If enabled, it resets all TCP flows that are not accelerated, but should be (based on policy and on internal criteria like a Tunnel Up event).
The internal criteria can also include:
Resetting all TCP accelerated flows on a Tunnel Down event.
Resetting
TCP acceleration is enabled.
Enable Silver Peak TCP SYN option exchange
SYN packet was not seen (so this flow was either part of WCCP redirection or it already existed when the appliance was inserted in the data path).
Controls whether or not Silver Peak forwards its proprietary TCP SYN option on the LAN side. Enabled by default, this feature detects if there are more than two EdgeConnect appliances in the flow's data path, and optimizes accordingly.
End to End FIN Handling IP Block Listing
Disable this feature if there is a LAN-side firewall or a third-party appliance that would drop a SYN packet when it encounters an unfamiliar TCP option.
This feature helps to fine tune TCP behavior during a connection's graceful shutdown event. When this feature is ON (Default), TCP on the local appliance synchronizes this graceful shutdown of the local LAN side with the LAN side of the remote appliance. When this feature is OFF (Default TCP), no such synchronization happens and the two LAN segments at the ends gracefully shut down, independently.
If selected, and if the appliance does not receive a TCP SYN-ACK from the remote end within five seconds, the flow proceeds without acceleration and the destination IP address is blocked for one minute.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Option Keep Alive Timer
LAN Side Window Scale Factor Clamp Per-Flow Bu er Persist timer Timeout Preserve Packet Boundaries
Route Policy Override
Slow LAN Defense
Slow LAN Window Penalty
Description
Allows changing the Keep Alive timer for the TCP connections.
Probe Interval Time interval in seconds between two consecutive Keep Alive probes.
Probe Count Maximum number of Keep Alive probes to send.
First Timeout (Idle) Time interval until the first Keep Alive timeout. This setting allows the appliance to present an artificially lowered Window Scale Factor (WSF) to the end host. This reduces the need for memory in scenarios in which there are many out-of-order packets being received from the LAN side. These out-of-order packets cause much bu er utilization and maintenance. (Max LAN to WAN Bu er and Max WAN to LAN Bu er)
This setting clamps the maximum bu er space that can be allocated to a flow, in each direction. Allows the TCP to terminate connections that are in Persist timeout stage a er the configured number of seconds. Preserves the packet boundaries end-to-end. If this feature is disabled, the appliances in the path can coalesce consecutive packets of a flow to use bandwidth more e iciently.
It is enabled by default so that applications requiring packet boundaries to match do not fail. Tries to override asymmetric route policy settings. It emulates auto-opt behavior by using the same tunnel for the returning SYN+ACK as it did for the original SYN packet.
Disable this feature if the asymmetric route policy setting is necessary to correctly route packets. In this case, you might need to configure flow redirection to ensure optimization of TCP flows. Resets all flows that consume a disproportionate amount of bu er and have a very slow throughput on the LAN side. Owing to a few slower end hosts or a lossy LAN, these flows a ect the performance of all other flows so that no flows see the customary throughput improvement gained through TCP acceleration.
This feature is enabled by default. The number relates indirectly to the amount of time the system waits before resetting such slow flows. This setting (OFF by default) penalizes flows that are slow to send data on the LAN side by artificially reducing their TCP receive window. This causes less data to be received and helps to reach a balance with the data sending rate on the LAN side.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Option WAN Congestion Control
Description Selects the internal Congestion Control parameter:
Optimized This is the default setting. This mode o ers optimized performance in almost all scenarios.
Standard In some unique cases, it might be necessary to downgrade to Standard performance to better interoperate with other flows on the WAN link.
WAN Window Scale
Aggressive Provides aggressive performance and should be used with caution. Recommended mostly for Data Replication scenarios.
This is the WAN-side TCP Window scale factor that is used internally for WAN-side tra ic. This is independent of the WAN-side factor advertised by the end hosts.
Optimization Policies Edit Row
The Optimization Policies tab displays the Optimization policy entries that exist on the appliances. This includes the appliance-based defaults, entries applied manually (via the Appliance Manager or CLI), and entries that result from applying an Orchestrator Optimization Policy template or Business Intent Overlay.
Use the Templates tab to create and manage Optimization policies, or click the edit icon to directly manage Optimization policies for a particular appliance.
P
· If you are using Orchestrator templates to add rules, Orchestrator will delete all entries from
before applying its policies.
· You can create rules with higher priority than Orchestrator rules ( ) and rules with lower
priority (
and
).
NOTE: The priority range from
to
is reserved for Orchestrator.
· When adding a rule, the priority is incremented by from the previous rule. The priority can be changed, but this default behavior helps to ensure you can insert new rules without having to change subsequent priorities.
MC
· These are universal across all policy maps--Route, QoS, Optimization, NAT (Network Address Translation), and Security.
· If you expect to use the same match criteria in di erent maps, you can create an ACL (Access Control List), which is a named, reusable set of rules. For e iciency, create them in Configuration > Templates & Policies > ACLs > Access Lists, and apply them across appliances.
· The available parameters are Application, Address Map (for sorting by country, IP address owner, or SaaS application), Domain, Geo Location, Interface, Protocol, DSCP, IP/Subnet, Port, and Tra ic Behavior.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· To specify di erent criteria for inbound versus outbound tra ic, select the Source:Dest check box.
S
D
· An IP address can specify a subnet; for example, . . . / (IPv ) or fe :: : :fed : ba / (IPv ).
· To allow any IP address, use . . . / (IPv ) or ::/ (IPv ). · Ports are available only for the protocols tcp, udp, and tcp/udp. · To allow any port, use .
W
-
PM
· When using a range or a wildcard, the IPv address must be specified in the -octet format, separated by the dot notation. For example, A.B.C.D.
· Range is specified using a dash. For example, - .
· Wildcard is specified as an asterisk (____*).
· Range and Wildcard can both be used in the same address, but an octet can only contain one or the other. For example, . - .*. - .
· A wildcard can only be used to define an entire octet. For example, . *.*. - is not supported. The correct way to specify this range is . - .*. - .
· The same rules apply to IPv addressing.
· CIDR notation and (Range or Wildcard) are mutually exclusive in the same address. For example, use either . . . / or . . . - .
· These prefix-matching rules only apply to the following policies: Router, QoS, Optimization, NAT, Security, and ACLs.
SA
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Set Action Network Memory
IP Header Compression Payload Compression TCP Acceleration Protocol Acceleration
Description
Addresses limited bandwidth. This technology uses advanced fingerprinting algorithms to examine all incoming and outgoing WAN tra ic. Network Memory localizes information and transmits only modifications between locations.
Maximize Reduction Optimizes for maximum data reduction at the potential cost of slightly lower throughput and/or some increase in latency. It is appropriate for bulk data transfers such as file transfers and FTP, where bandwidth savings are the primary concern.
Minimize Latency Ensures that Network Memory processing adds no latency. This might come at the cost of lower data reduction. It is appropriate for extremely latency-sensitive interactive or transactional tra ic. It is also appropriate when the primary objective is to fully utilize the WAN pipe to increase the LAN-side throughput, as opposed to conserving WAN bandwidth.
Balanced Is the default setting. It dynamically balances latency and data reduction objectives and is the best choice for most tra ic types.
Disabled Turns o Network Memory. Process of compressing excess protocol headers before transmitting them on a link and uncompressing them to their original state at the other end. It is possible to compress the protocol headers due to the redundancy in header fields of the same packet, as well as in consecutive packets of a packet stream. Uses algorithms to identify relatively short byte sequences that are repeated frequently. These are then replaced with shorter segments of code to reduce the size of transmitted data. Simple algorithms can find repeated bytes within a single packet; more sophisticated algorithms can find duplication across packets and even across flows. Uses techniques such as selective acknowledgments, window scaling, and maximum segment size adjustment to mitigate poor performance on high-latency links.
NOTE: The slow LAN alert goes o when the loss has fallen below % of the specified value configured in the TCP Accel Options dialog box.
For more information, see TCP Acceleration Details. Provides explicit configuration for optimizing CIFS, SSL, SRDF, Citrix, and iSCSI protocols. In a network environment, it is possible that not every appliance has the same optimization configurations enabled. Therefore, the site that initiates the flow (the client) determines the state of the protocol-specific optimization.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
TCP A
D
CAUTION: Because changing these settings can a ect service, it is recommended that you do not modify these without direction from Support.
TCP Acceleration Options
Option Adjust MSS to Tunnel MTU
Auto Reset Flows
Enable Silver Peak TCP SYN option exchange
Description
Limits the TCP MSS (Maximum Segment Size) advertised by the end hosts in the SYN segment to a value derived from the Tunnel MTU (Maximum Transmission Unit). This is TCP MSS = Tunnel MTU Tunnel Packet Overhead.
This feature is enabled by default so that the maximum value of the end host MSS is always coupled to the Tunnel MSS. If the end host MSS is smaller than the tunnel MSS, the end host MSS is used instead.
A use case for disabling this feature is when the end host uses Jumbo frames. NOTE: Whether this feature is enabled or not, the default behavior when a tunnel goes Down is to automatically reset the flows.
If enabled, it resets all TCP flows that are not accelerated, but should be (based on policy and on internal criteria like a Tunnel Up event).
The internal criteria can also include:
Resetting all TCP accelerated flows on a Tunnel Down event.
Resetting
TCP acceleration is enabled.
SYN packet was not seen (so this flow was either part of WCCP redirection, or it already existed when the appliance was inserted in the data path). Controls whether or not Silver Peak forwards its proprietary TCP SYN option on the LAN side. Enabled by default, this feature detects if there are more than two EdgeConnect appliances in the flow's data path, and optimizes accordingly.
Disable this feature if there is a LAN-side firewall or a third-party appliance that would drop a SYN packet when it encounters an unfamiliar TCP option.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Option End to End FIN Handling
IP Black Listing Keep Alive Timer
LAN Side Window Scale Factor Clamp Per-Flow Bu er Persist timer Timeout Preserve Packet Boundaries
Description
This feature helps to fine tune TCP behavior during a connection's graceful shutdown event. When this feature is ON (Default), TCP on the local appliance synchronizes this graceful shutdown of the local LAN side with the LAN side of the remote appliance. When this feature is OFF (Default TCP), no such synchronization happens and the two LAN segments at the ends gracefully shut down, independently. If selected and if the appliance does not receive a TCP SYN-ACK from the remote end within five seconds, the flow proceeds without acceleration and the destination IP address is blacklisted for one minute. Allows us to change the Keep Alive timer for the TCP connections.
Probe Interval Time interval in seconds between two consecutive Keep Alive Probes.
Probe Count Maximum number of Keep Alive probes to send.
First Timeout (Idle) Time interval until the first Keep Alive timeout. This setting allows the appliance to present an artificially lowered Window Scale Factor (WSF) to the end host. This reduces the need for memory in scenarios where there are many out-of-order packets being received from the LAN side. These out-of-order packets cause much bu er utilization and maintenance. (Max LAN to WAN Bu er and Max WAN to LAN Bu er)
This setting clamps the maximum bu er space that can be allocated to a flow, in each direction. Allows the TCP to terminate connections that are in Persist timeout stage a er the configured number of seconds. Preserves the packet boundaries end to end. If this feature is disabled, the appliances in the path can coalesce consecutive packets of a flow to use bandwidth more e iciently.
It is enabled by default so that applications that require packet boundaries to match do not fail.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . . Option Route Policy Override
Slow LAN Defense
Slow LAN Window Penalty WAN Congestion Control
WAN Window Scale
January ,
Description
Tries to override asymmetric route policy settings. It emulates auto-opt behavior by using the same tunnel for the returning SYN+ACK as it did for the original SYN packet.
Disable this feature if the asymmetric route policy setting is necessary to correctly route packets. In that case, you might need to configure flow redirection to ensure optimization of TCP flows. Resets all flows that consume a disproportionate amount of bu er and have a very slow throughput on the LAN side. Owing to a few slower end hosts or a lossy LAN, these flows a ect the performance of all other flows so that no flows see the customary throughput improvement gained through TCP acceleration.
This feature is enabled by default. The number relates indirectly to the amount of time the system waits before resetting such slow flows. This setting (OFF by default) penalizes flows that are slow to send data on the LAN side by artificially reducing their TCP receive window. This causes less data to be received and helps to reach a balance with the data sending rate on the LAN side. Selects the internal Congestion Control parameter:
Optimized This is the default setting. This mode o ers optimized performance in almost all scenarios.
Standard In some unique cases, it might be necessary to downgrade to Standard performance to better inter-operate with other flows on the WAN link.
Aggressive Provides aggressive performance and should be used with caution. Recommended mostly for Data Replication scenarios. This is the WAN-side TCP Window scale factor that is used internally for WAN-side tra ic. This is independent of the WAN-side factor advertised by the end hosts.
NAT Policies Tab
Configuration > Templates & Policies > Policies > SaaS NAT Policies This report has two views that show the NAT policies configured on appliances:
· The Basic view shows whether NAT is enabled on all Inbound and Outbound.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· The Advanced view displays all the NAT map rules.
Two use cases illustrate the need for NAT: · Inbound NAT. The appliance automatically creates a source NAT (Network Address Translation) map when retrieving subnet information from the Cloud Portal. This ensures that tra ic destined to SaaS servers has a return path to the appliance from which that tra ic originated.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· Outbound NAT. The appliance and server are in the cloud, and the server accesses the internet. As in the example below, a Citrix thin client accesses its cloud-based server, and the server accesses the internet.
For deployments in the cloud, best practice is to NAT all tra ic--either inbound (WAN-to-LAN) or outbound (LAN-to-WAN), depending on the direction of initiating request. This avoids black-holing that can result from cloud-specific IP addressing requirements.
· Enabling NAT all applies NAT policies to pass-through tra ic as well as optimized tra ic, ensuring that black-holing does not occur. NAT all on outbound only applies pass-through tra ic.
· If Fallback is enabled, the appliance moves to the next IP (if available) when ports are exhausted on the current NAT IP.
In general, when applying NAT policies, configure separate WAN and LAN interfaces to ensure that NAT works properly. You can do this by deploying the appliance in Router mode in-path with two (or four) interfaces.
A
S
The appliance can perform source network address translation (Source NAT or SNAT) on inbound or outbound tra ic.
There are two types of NAT policies:
· Dynamic Created automatically by the system for inbound NAT when the SaaS Optimization feature is enabled and SaaS service(s) are selected for optimization. The appliance polls the Cloud Intelligence Service for a directory of SaaS services, and NAT policies are created for each of the subnets associated with selected SaaS service(s), ensuring that tra ic destined for servers in use by those SaaS services has a return path to the appliance.
· Manual Created by the administrator for specific IP addresses / ranges or subnets. When
assigning priority numbers to individual policies within a NAT map, first view dynamic policies
to ensure that the manual numbering scheme does not interfere with dynamic policy numbering
(that is, the manually assigned priority numbers cannot be in the range: - ). The default
(no-NAT) policy is numbered
.
The NAT policy map has the following criteria and Set Actions:
MC
· These are universal across all policy maps--Route, QoS, Optimization, NAT (Network Address Translation), and Security.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· If you expect to use the same match criteria in di erent maps, you can create an ACL (Access Control List), which is a named, reusable set of rules. For e iciency, create them in Configuration > Templates & Policies > ACLs > Access Lists, and apply them across appliances.
· The available parameters are Application, Address Map (for sorting by country, IP address owner, or SaaS application), Domain, Geo Location, Interface, Protocol, DSCP, IP/Subnet, Port, and Tra ic Behavior.
· To specify di erent criteria for inbound versus outbound tra ic, select the Source:Dest check box.
S
D
· An IP address can specify a subnet; for example, . . . / (IPv ) or fe :: : :fed : ba / (IPv ).
· To allow any IP address, use . . . / (IPv ) or ::/ (IPv ). · Ports are available only for the protocols tcp, udp, and tcp/udp. · To allow any port, use .
W
-
PM
· When using a range or a wildcard, the IPv address must be specified in the -octet format, separated by the dot notation. For example, A.B.C.D.
· Range is specified using a dash. For example, - .
· Wildcard is specified as an asterisk (____*).
· Range and Wildcard can both be used in the same address, but an octet can only contain one or the other. For example, . - .*. - .
· A wildcard can only be used to define an entire octet. For example, . *.*. - is not supported. The correct way to specify this range is . - .*. - .
· The same rules apply to IPv addressing.
· CIDR notation and (Range or Wildcard) are mutually exclusive in the same address. For example, use either . . . / or . . . - .
· These prefix-matching rules only apply to the following policies: Router, QoS, Optimization, NAT, Security, and ACLs.
SA NAT Type
Option
no-nat source-nat
Description
Is the default. No IP addresses are changed. Is the default. No IP addresses are changed.
NAT Direction
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Option
inbound outbound none
Description
NAT is on the LAN interface. NAT is on the WAN interface. Only option if the NAT type is no-nat.
NAT IP Option auto tunnel [IP address]
Description
Select if you want to NAT all tra ic. The appliance then picks the first available NAT IP/Port. Select if you want to NAT tunnel tra ic only. Applicable only for inbound NAT, as outbound does not support NAT on tunnel tra ic. Select if you want to make NAT use this IP address during address translation.
For Fallback, if the IP address is full, the appliance uses the next available IP address. When you select a specific IP, ensure that the routing is in place for NAT-ted return tra ic.
M /R At the top of the page, choose: Merge to use the values in the template, but keep any values set on the appliance as is (producing a mix of template and appliance rules), -ORReplace (recommended) to replace all values with those in the template.
NAT Policies Edit Row
This report has two views that show the NAT policies configured on appliances:
· The Basic view shows whether NAT is enabled on all Inbound and Outbound. · The Advanced view displays all the NAT map rules.
Two use cases illustrate the need for NAT:
· Inbound NAT. The appliance automatically creates a source NAT (Network Address Translation) map when retrieving subnet information from the Cloud Portal. This ensures that tra ic destined to SaaS servers has a return path to the appliance from which that tra ic originated.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· Outbound NAT. The appliance and server are in the cloud, and the server accesses the internet. As in the example below, a Citrix thin client accesses its cloud-based server, and the server accesses the internet.
For deployments in the cloud, best practice is to NAT all tra ic--either inbound (WAN-to-LAN) or outbound (LAN-to-WAN), depending on the direction of initiating request. This avoids black-holing that can result from cloud-specific IP addressing requirements.
· Enabling NAT all applies NAT policies to pass-through tra ic as well as optimized tra ic, ensuring that black-holing does not occur. NAT all on outbound only applies pass-through tra ic.
· If Fallback is enabled, the appliance moves to the next IP (if available) when ports are exhausted on the current NAT IP.
In general, when applying NAT policies, configure separate WAN and LAN interfaces to ensure that NAT works properly. You can do this by deploying the appliance in Router mode in-path with two (or four) interfaces.
A
S
The appliance can perform source network address translation (Source NAT or SNAT) on inbound or outbound tra ic.
There are two types of NAT policies:
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· Dynamic Created automatically by the system for inbound NAT when the SaaS Optimization feature is enabled and SaaS service(s) are selected for optimization. The appliance polls the Cloud Intelligence Service for a directory of SaaS services, and NAT policies are created for each of the subnets associated with selected SaaS service(s), ensuring that tra ic destined for servers in use by those SaaS services has a return path to the appliance.
· Manual Created by the administrator for specific IP addresses / ranges or subnets. When
assigning priority numbers to individual policies within a NAT map, first view dynamic policies
to ensure that the manual numbering scheme does not interfere with dynamic policy numbering
(that is, the manually assigned priority numbers cannot be in the range: - ). The default
(no-NAT) policy is numbered
.
The NAT policy map has the following criteria and Set Actions:
MC
· These are universal across all policy maps--Route, QoS, Optimization, NAT (Network Address Translation), and Security.
· If you expect to use the same match criteria in di erent maps, you can create an ACL (Access Control List), which is a named, reusable set of rules. For e iciency, create them in Configuration > Templates & Policies > ACLs > Access Lists, and apply them across appliances.
· The available parameters are Application, Address Map (for sorting by country, IP address owner, or SaaS application), Domain, Geo Location, Interface, Protocol, DSCP, IP/Subnet, Port, and Tra ic Behavior.
· To specify di erent criteria for inbound versus outbound tra ic, select the Source:Dest check box.
S
D
· An IP address can specify a subnet; for example, . . . / (IPv ) or fe :: : :fed : ba / (IPv ).
· To allow any IP address, use . . . / (IPv ) or ::/ (IPv ). · Ports are available only for the protocols tcp, udp, and tcp/udp. · To allow any port, use .
W
-
PM
· When using a range or a wildcard, the IPv address must be specified in the -octet format, separated by the dot notation. For example, A.B.C.D.
· Range is specified using a dash. For example, - .
· Wildcard is specified as an asterisk (____*).
· Range and Wildcard can both be used in the same address, but an octet can only contain one or the other. For example, . - .*. - .
· A wildcard can only be used to define an entire octet. For example, . *.*. - is not supported. The correct way to specify this range is . - .*. - .
· The same rules apply to IPv addressing.
· CIDR notation and (Range or Wildcard) are mutually exclusive in the same address. For example, use either . . . / or . . . - .
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· These prefix-matching rules only apply to the following policies: Router, QoS, Optimization, NAT, Security, and ACLs.
SA NAT Type
Option
no-nat source-nat
Description
Is the default. No IP addresses are changed. Is the default. No IP addresses are changed.
NAT Direction
Option
inbound outbound none
Description
NAT is on the LAN interface. NAT is on the WAN interface. Only option if the NAT type is no-nat.
NAT IP Option auto tunnel [IP address]
Description
Select if you want to NAT all tra ic. The appliance then picks the first available NAT IP/Port. Select if you want to NAT tunnel tra ic only. Applicable only for inbound NAT, as outbound does not support NAT on tunnel tra ic. Select if you want to make NAT use this IP address during address translation.
For Fallback, if the IP address is full, the appliance uses the next available IP address. When you select a specific IP, ensure that the routing is in place for NAT-ted return tra ic.
Inbound Port Forwarding
Configuration > Overlays & Security > Security > Inbound Port Forwarding
Inbound port forwarding allows tra ic from the WAN to reach computers or services within a private LAN when you have a stateful firewall. It helps define and manage inbound tra ic, remap a destination IP address and port number to an internal host, and create policies to manage branch devices from the WAN. Use this tab to define the desired inbound tra ic.
Inbound Port forwarding is available in two modes when you add or edit a rule, depending on whether the translate mode is enabled or disabled.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
The first operating mode for inbound port forwarding is when translate mode is disabled with inbound port forwarding. The LAN-side subnet with private IP addresses is allowed access through an inbound port forwarding rule (defined by you in the following steps) and exposes any external services. This requires LAN side private addresses to be routed on the WAN side. This represents the process of DMZ (Demilitarized Zone).
NOTE: This mode is not common unless the port forwarding source is directly connected to the EdgeConnect or if the LAN side device address is routed from the WAN side. Additionally, inbound port forwarding does not support TFTP servers.
To establish a DMZ connection, complete the following steps:
. Go to the Inbound Port Forwarding tab.
. Select the Edit icon next to Appliance Name.
. Select Add Rule.
. Complete each field with the appropriate information.
Field Source IP/Subnet Destination IP/Subnet
Description
Source of the WAN device managing the LAN device(s) specified in the destination. Address of the LAN device(s) managed remotely.
The second mode is when translate mode is enabled. When enabled, the EdgeConnect WAN interface performs destination NAT to reach LAN side device(s) from an external network. Complete the following steps to enable the translate mode. This represents the process of DNAT (Destination Network Translation).
. Go to the Inbound Port Forwarding tab. . Select the Edit icon. . Select Add Rule. . Select the Translate check box to enable Translate mode. . Complete each field with the appropriate information.
Field Source IP/Subnet
Destination IP/Subnet Destination Port/Range Protocol
Translated IP Translated Port/Range Source Interface
Description
Source of the WAN device managing the LAN device(s) specified in the destination. Address of the WAN interface IP. Port/range of the LAN device(s) that are managed remotely. Select the protocol you want to apply: UDP, TCP, ICMP, Any. If you select Any, the Destination and Translated Ports have a default value that need to be between - . If the value exceeds, a warning appears. IP address of the LAN device accessed inside your network. Port/range of the LAN device accessed inside your network. Source interface name.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field
Segment Comment
Description
Name of the segment being used. Any additional details.
Additional Information
· Interface Modes Port forwarding is used only when you have "stateful" or "stateful+snat" configured on interfaces. It does not apply when you have "Allow All" or "Harden" configured.
· Security Policies *If "security policies" are configured, make sure they allow the tra ic specified in the port forwarding rules.
· You can also reorder the appliances associated with inbound port forwarding by selecting Reorder when adding a rule.
NOTE: "Any" is a protocol option only on versions . . . and later.
Security Policies Tab
Configuration > Overlays & Security > Security > Firewall Zone Security Policies
This tab displays the Security Policies, which manage tra ic between firewall zones.
· Zones are created on the Orchestrator. A zone is applied to an Interface. · By default, tra ic is allowed between interfaces labeled with the same zone. Any tra ic between
interfaces with di erent zones is dropped. Users can create exception rules (Security Policies) to allow tra ic between interfaces with di erent zones. · When Routing Segmentation (VRF) is enabled, by default, tra ic is allowed between interfaces labeled with the same zone and the same segment. Any tra ic between di erent zones or between di erent segments is dropped. · When segmentation is enabled, define your security policies from the Routing Segmentation (VRF) tab. · When segmentation is enabled, do not use templates. If a security policy template is applied while segmentation is enabled, it will only apply within the default segment. It will override the default-default security policy defined on the Routing Segmentation (VRF) tab. This behavior is designed to prevent a disruption in tra ic when segmentation is enabled for the first time, and during a migration to segments. A er the migration process is complete, the security policy template should be removed. · If segments are disabled, define your security policies by creating templates. You can then apply template groups to appliances. · Clicking the edit icon opens the Security Policy that has been applied. Any changes made here are local to that appliance. Making changes from this tab is not recommended. · Logging: In table view, you can specify the log level when adding and editing a rule. Select the appropriate level from the options in the list.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· Define your Security Policies by creating templates. You can then apply templates to Interfaces or Overlays.
· Clicking the edit icon opens the Security Policy that has been applied. Any changes made here are local to that appliance.
· Click Firewall Drops to see statistics on various flows, packets, and bytes dropped or allowed by a zone-based firewall for a given time range.
· Click Manage Security Policies with Templates to define policies on all appliances within your network. You can use the matrix and table view to further specify your policies. If segmentation is enabled, do not use templates. Manage from the Routing Segmentation (VRF) tab instead.
W
-
PM
· When using a range or a wildcard, the IPv address must be specified in the -octet format, separated by the dot notation. For example, A.B.C.D.
· Range is specified using a dash. For example, - .
· Wildcard is specified as an asterisk (____*).
· Range and Wildcard can both be used in the same address, but an octet can only contain one or the other. For example, . - .*. - .
· A wildcard can only be used to define an entire octet. For example, . *.*. - is not supported. The correct way to specify this range is . - .*. - .
· The same rules apply to IPv addressing.
· CIDR notation and (Range or Wildcard) are mutually exclusive in the same address. For example, use either . . . / or . . . - .
· These prefix-matching rules only apply to the following policies: Router, QoS, Optimization, NAT, Security, and ACLs.
Security Policies Edit Row
This dialog box displays the Security Policies, which manage tra ic between segments and their firewall zones. Complete the following steps to add or modify rules in your security policies:
. Select the default logging level to be applied to all "Deny All" events. . Select the Source and Destination Segment. . Click the cell for the source and destination zone to open the rule editor. . Click Add Rule to create a new rule. . Modify the following fields in a new or existing rule:
Field
Priority Match Criteria
Description
Priority of the rule. Click the edit icon to add or modify match criteria for the rule.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Action
Enabled Logging Tag Comment
Description
Select the action to apply to tra ic matching the rule:
allow Matching tra ic will be allowed.
deny Matching tra ic will be denied.
inspect Matching tra ic will be inspected by the Intrusion Detection System (IDS). Select the check box to enable the rule or clear the check box to disable the rule. Select the logging level to be applied when logging matches for the specific rule. If you do not want to log matching tra ic, select None. Use this field to specify a tag to be logged with matching events. Use this field to add comments or additional information about the rule.
· Zones are created on the Orchestrator. A zone is applied to an Interface.
· By default, tra ic is allowed between interfaces labeled with the same zone. Any tra ic between interfaces with di erent zones is dropped. Users can create exception rules (Security Policies) to allow tra ic between interfaces with di erent zones or between their segments and firewall zones.
· Define your Security Policies by creating templates. You then can apply templates to Interfaces or Overlays.
· Clicking the Edit icon opens the Security Policy that has been applied. Any changes made here are local to that appliance.
W
-
PM
· When using a range or a wildcard, the IPv address must be specified in the -octet format, separated by the dot notation. For example, A.B.C.D.
· Range is specified using a dash. For example, - .
· Wildcard is specified as an asterisk (____*).
· Range and Wildcard can both be used in the same address, but an octet can only contain one or the other. For example, . - .*. - .
· A wildcard can only be used to define an entire octet. For example, . *.*. - is not supported. The correct way to specify this range is . - .*. - .
· The same rules apply to IPv addressing.
· CIDR notation and (Range or Wildcard) are mutually exclusive in the same address. For example, use either . . . / or . . . - .
· These prefix-matching rules only apply to the following policies: Router, QoS, Optimization, NAT, Security, and ACLs.
Access Lists Tab
Configuration > Templates & Policies > Policies > ACLs > Access Lists
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
This tab lists the configured Access Control List (ACL) rules. An ACL is a reusable MATCH criteria for filtering flows. It is associated with an action: permit or deny. An ACL can be a MATCH condition in more than one policy--Route, QoS, or Optimization.
Field Appliance Name ACLs Priority
Match Criteria Permit
Comment
Description
Name the appliance selected. Access Control Lists. A list of one or more ordered access control rules.
NOTE: An ACL only becomes active when it is used in a policy.
If you are using Orchestrator templates to add rules, Orchestrator will delete
all entries from
before applying its policies.
You can create rules with higher priority than Orchestrator rules ( ) and
rules with lower priority (
and
).
NOTE: The priority range from
to
is reserved for Orchestrator.
When adding a rule, the priority is incremented by from the previous rule. The priority can be changed, but this default behavior helps to ensure you can insert new rules without having to change subsequent priorities.
Configured ACL match criteria associated to the appliance. See below for more information about Match Criteria.
Whether the ACL is set to Permit or Deny.
Permit allows the matching tra ic flow to proceed to the policy entry's associated SET actions.
Deny prevents further processing of the flow by that ACL, specifically. The appliance continues to the next entry in the policy.
Any additional information about the ACL.
Click the edit icon to make add, delete, or modify rules to your ACLs.
MC
· These are universal across all policy maps--Route, QoS, Optimization, NAT (Network Address Translation), and Security.
· If you expect to use the same match criteria in di erent maps, you can create an ACL (Access Control List), which is a named, reusable set of rules. For e iciency, create them in Configuration > Templates & Policies > ACLs > Access Lists, and apply them across appliances.
· The available parameters are Application, Address Map (for sorting by country, IP address owner, or SaaS application), Domain, Geo Location, Interface, Protocol, DSCP, IP/Subnet, Port, and Tra ic Behavior.
· To specify di erent criteria for inbound versus outbound tra ic, select the Source:Dest check box.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
W
-
PM
· When using a range or a wildcard, the IPv address must be specified in the -octet format, separated by the dot notation. For example, A.B.C.D.
· Range is specified using a dash. For example, - .
· Wildcard is specified as an asterisk (____*).
· Range and Wildcard can both be used in the same address, but an octet can only contain one or the other. For example, . - .*. - .
· A wildcard can only be used to define an entire octet. For example, . *.*. - is not supported. The correct way to specify this range is . - .*. - .
· The same rules apply to IPv addressing.
· CIDR notation and (Range or Wildcard) are mutually exclusive in the same address. For example, use either . . . / or . . . - .
· These prefix-matching rules only apply to the following policies: Router, QoS, Optimization, NAT, Security, and ACLs.
Access Lists Edit Row
The Access Lists dialog box lists the configured Access Control List (ACL) rules. You can add, delete, or rename an ACL by clicking the buttons at the top of this dialog box. You can also add rules to an ACL.
. Click Add Rule. . Enter a priority value. . Click the edit icon to configure the match criteria. The Match Criteria dialog box opens and you
can specify the match criteria. Click More Options to apply more rules. . Select if you want to Permit or Deny tra ic in the ACL. . Enter any comments if you decide to do so.
Address Groups
Configuration > Templates & Policies > ACLs > Address Groups
Use the Address Groups tab to view and manage address groups in your SD-WAN network. An address group is a logical collection of IP hosts or subnets that can be referenced in source or destination matching criteria in the zone based firewall and security policies (route, QOS, optimization, and so forth). NOTE: Orchestrator supports up to address groups.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
AA
G
Follow the steps below to create a new address group:
. Click Add Group to open the Add Address Group dialog box.
. Provide the following details in the fields provided:
Field Group name
IPs to include
Description
Enter a unique name for the group, up to characters long.
NOTE: Group names can only contain uppercase and lowercase letters, numbers, dots, underscores, and hyphens. Enter one or more IP addresses or subnets to include in the group (see Address Group Formats below).
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field IPs to exclude Groups to include
Comment
Description
Enter one or more IP addresses to exclude, in the case where you are including an IP range. Enter the name of one or more address groups to include.
NOTE: Group inclusion only supports two levels of nesting. For example, if Group includes Group and Group includes Group , you could not include Group anywhere because it already contains two levels of nested groups. Enter an optional comment that describes the address group and how it might be used.
. Click Add to create the address group, or click Cancel to close the dialog box without making any changes.
AR
A
G
Follow the steps below to add a rule to an existing address group:
. Select the address group to which you want to add a rule from the drop-down list above the table.
. Click Add Rule to open the Add Rule dialog box.
. Provide the details for the new rule in the fields provided (see field descriptions in Add an Address Group).
. Click Add to create the rule or click Cancel to close the dialog box without making any changes.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
D
A
G
Follow the steps below to delete an address group:
. Select the address group you want to delete from the drop-down list above the table. . Click Delete Group.
A confirmation dialog box opens. . Click Delete to confirm your choice and permanently remove the selected group and all of its
rules. Otherwise, click Cancel to return to the list without deleting the group.
E
A
G
You can export the current address groups to a CSV file as a backup to make bulk modifications outside of the Orchestrator UI.
To export address groups:
. Click Export CSV.
. In the save dialog box, browse to the location where you want to save the file, provide a name for the file, and then click Save.
. Open the saved file in Excel or another program to view or modify its contents.
NOTE: When editing exported rules and address groups, you can modify the included or excluded IPs, included groups, or comments to overwrite the same rule when imported. If you modify the group name on a rule, however, it will create a new rule when imported.
I
A
G
To import address groups from a CSV file:
NOTE: You can import a file that was exported and modified, or a new file that contains data in the same rows and columns as the exported file. Columns are ordered as Name, Included IPs, Excluded IPs, Included Groups, and Comment. The first row of the import file will be ignored.
. Click Bulk Import to open the Address Groups - Bulk Upload dialog box.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
. Click Choose File, locate and select the CSV file to be imported, and then click Open.
. Review the groups and rules to be imported.
. Click Save to import the file and merge with or replace the existing address groups, or click Cancel to close the dialog box without making any changes.
VS A
G
By default, all address groups are displayed in the table on the Address Groups tab. To filter the table to a single address group, select the group from the drop-down list above the table.
NOTE: You can only add rules to an existing group when viewing a single address group. You cannot add a group with the same name as an existing group.
E
D
R
To edit or delete an existing rule, click the edit icon to the right of the rule. The Edit Rule dialog box opens.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· To edit the rule, modify the available fields, and then click Save. · To delete the rule, click Delete.
UA
G
MC
When specifying match criteria for IP/Subnet, you can use an address group by enabling the Src:Dest and Groups options.
A
GF
An address group can include IP addresses, subnets, address groups, or any combination thereof. For IPs and subnets, the following formats are allowed:
· One or more IP addresses: . . . or . . . , . . . , . . . · IP subnet: . . . / or . . . / . . . · IP range: . . . · IP range and subnet: . - . . / , . - . . / . . . · IP wildcard: . . .* (you can use the wildcard in any octet) · Wildcard and mask: .*. . / , .*. . / . . .
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Service Groups
Configuration > Templates & Policies > ACLs > Service Groups
Use the Service Groups tab to view and manage service groups in your SD-WAN network. A service group is a logical collection of protocols and ports that can be referenced in source or destination matching criteria in the zone based firewall and security policies (route, QOS, optimization, and so forth). NOTE: Orchestrator supports up to service groups.
AS
G
Follow the steps below to create a new service group:
. Click Add Group. The Add Service Group dialog box opens.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
. Provide the following details in the fields provided:
Field Group name
Used in All
Description Enter a unique name for the group, up to characters long.
Protocol Ports to include Ports to exclude
Groups to include
All TCP, UDP TCP, UDP
TCP, UDP
NOTE: Group names can only contain uppercase and lowercase letters, numbers, dots, underscores, and hyphens.
Select a protocol from the list of those available.
Enter one or more ports to include in the group. A single port, multiple comma-separated ports, and a range of ports are supported (e.g., , , - ).
Enter one or more ports to exclude from the group, in the case where you are including a range of ports. A single port, multiple comma-separated ports, and a range of ports are supported (e.g.,
, , - ).
Enter the name of one or more service groups to include.
Groups to exclude
TCP, UDP
NOTE: Group inclusion only supports two levels of nesting. For example, if Group includes Group and Group includes Group , you could not include Group anywhere because it already contains two levels of nested groups.
Enter the name of one or more service groups to exclude, in the case where you are already including a group that includes multiple groups.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field ICMP types Comment
Used in ICMP All
Description
For ICMP, add one or more message types to include. Multiple types and ranges are supported (e.g., , , - ). Enter an optional comment that describes the service group and how it might be used.
. Click Add to create the service group or click Cancel to close the dialog box without making any changes.
AR
S
G
Follow the steps below to add a rule to an existing service group:
. Select the service group to which you want to add a rule from the drop-down list above the table. . Click Add Rule. The Add Rule dialog box opens.
. Provide the details for the new rule in the fields provided (see field descriptions in Add a Service Group).
. Click Add to create the rule or click Cancel to close the dialog box without making any changes.
D
S
G
Follow the steps below to delete a service group:
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
. Select the service group you want to delete from the drop-down list above the table. . Click Delete Group.
A confirmation dialog box opens. . Click Delete to confirm your choice and permanently remove the selected group and all of its
rules. Otherwise, click Cancel to return to the list without deleting the group.
E
S
G
You can export the current service groups to a CSV file as a backup to make bulk modifications outside of the Orchestrator UI. Follow the steps below to export service groups.
. Click Export CSV.
. In the save dialog box, browse to the location where you want to save the file, provide a name for the file, and then click Save.
. Open the saved file in Excel or another program to view or modify its contents.
NOTE: When editing exported rules and service groups, you can modify the protocol, inclusions, exclusions, ICMP types, or comments to overwrite the same rule when imported. If you modify the group name on a rule, however, it will create a new rule when imported.
I
S
G
Follow the steps below to import service groups from a CSV file:
NOTE: You can import a file that was exported and modified, or a new file that contains data in the same rows and columns as the exported file. Columns are ordered as Name, Protocol, Included Ports, Excluded Ports, Included Groups, Excluded Groups, ICMP types, and Comment. The first row of the import file will be ignored.
. Click Bulk Import. The Service Groups - Bulk Upload dialog box opens.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
. Click Choose File, locate and select the CSV file to be imported, and then click Open.
. Review the groups and rules to be imported.
. Click Save to import the file and merge with or replace the existing service groups, or click Cancel to close the dialog box without making any changes.
VS S
G
By default, all service groups are displayed in the table on the Service Groups tab. To filter the table to a single service group, select the group from the drop-down list above the table.
NOTE: You can only add rules to an existing group when viewing a single service group. You cannot add a group with the same name as an existing group.
E
D
R
To edit or delete an existing rule, click the edit icon to the right of the rule and the Edit Rule dialog box opens.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· To edit the rule, modify the available fields, and then click Save. · To delete the rule, click Delete.
US
G
MC
When specifying match criteria for Port, you can use a service group by enabling the Src:Dest and Groups options.
Shaper Tab
Configuration > Templates & Policies > Shaping > Shaper This report provides a view of the Shaper settings. The Shaper provides a simplified way to globally configure QoS (Quality of Service) on the appliances.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· It shapes tra ic by allocating bandwidth as a percentage of the system bandwidth. · The Shaper's parameters are organized into ten tra ic classes. Four tra ic classes are preconfig-
ured and named real-time, interactive, default, and best e ort. · The system applies these QoS settings globally a er compressing (deduplicating) all the out-
bound tunnelized and pass-throughshaped tra ic, shaping it as it exits to the WAN. · To manage Shaper settings for an appliance's system-level WAN Shaper, access the Shaper
template. · For minimum and maximum bandwidth, you can configure tra ic class values as a percentage of
total available system bandwidth and as an absolute value. The appliance always provides the larger of the minimum values and limits bandwidth to the lower of the maximum values. · Max overrides Min if you set Min Bandwidth to a value greater than Max Bandwidth. Shaper Tab Settings
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Excess Weighting
Interface Shaper
Description
If there is bandwidth le over a er satisfying the minimum bandwidth percentages, the excess is distributed among the tra ic classes in proportion to the weightings specified in the Excess Weighting column. Values range from to , . Enables a separate shaper for a specific WAN interface.
For WAN optimization, the interface shaper can be used, but it is not recommended.
Max Bandwidth % Max Bandwidth Absolute (kbps)
Max Wait Time Min Bandwidth %
For SD-WAN, it should never be used because overlay tra ic is not directed to an interface shaper; tra ic is always shaped by the default WAN shaper.
This limits the maximum bandwidth that a tra ic class can use to a percentage of total available system bandwidth.
This limits the maximum bandwidth that a tra ic class can use to an absolute value (kbps). You can specify a maximum absolute value to cap the bandwidth for downloads and streaming.
Any packets waiting longer than the specified Max Wait Time are dropped.
Refers to the percentage of bandwidth guaranteed to each tra ic class, allocated by priority. However, if the sum of the percentages is greater than %, lower-priority tra ic classes might not receive their guaranteed bandwidth if it is all consumed by higher-priority tra ic.
Min Bandwidth Absolute (kbps) Priority Rate Limit (kbps) Recalc on IF State Changes
Tra ic ID Tra ic Name
Max overrides Min if you set Min Bandwidth to a value greater than Max Bandwidth.
This guarantees a specific level of service when total system bandwidth declines. This is useful for maintaining the quality of VoIP, for example.
Determines the order in which to allocate each class' minimum bandwidth - is first, is last.
You can set per-flow rate limit that a tra ic class uses by specifying a number in the Rate Limit column. For no limit, use (zero).
When an interface state changes to UP or DOWN, selecting this recalculates the total bandwidth based on the configured bandwidth of all UP interfaces. For example, when wan goes down, wan bandwidth is removed from the total bandwidth when recalculating.
The number assigned to the tra ic class.
The name assigned to a tra ic class, either prescriptively or by the user.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
SaaS Optimization Tab
Configuration > Templates & Policies > Applications & SaaS > SaaS Optimization When SaaS optimization is enabled, the SaaS Optimization tab provides a view of the information retrieved from the Cloud Intelligence Service.
This tab displays the following three buttons:
· Configuration Displays a table of SaaS optimization configurations for the listed appliances.
· Monitoring Displays a table of monitoring information related to SaaS optimization for the listed appliances that have been configured for SaaS optimization.
· Export Exports the displayed table as a .csv file. The exported file depends on whether the SaaS Optimization Configuration table or the SaaS Optimization Monitoring table is displayed when you click this button.
C
S SO
To directly access an appliance, configure the SaaS applications or services you want to optimize, and enable SaaS optimization for the appliance, click the edit icon next to that appliance. The SaaS Optimization dialog box opens.
SaaS Optimization Dialog Box
Use the SaaS Optimization dialog box to optimize your SaaS applications. Descriptions of the three options at the top of the dialog box follow:
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· Enable SaaS Optimization Select this check box to enable the appliance to contact the Cloud Intelligence Service and download information about SaaS services.
· RTT Calculation Interval Enter a value to specify how frequently Orchestrator recalculates the Round Trip Time for the enabled applications.
· RTT Ping Interface Select the interface to use to ping the enabled SaaS subnets for Round Trip Times. The default interface is wan .
Descriptions for table columns displayed in the dialog box follow:
Field Appliance Name Optimize Advertise
RTT Threshold
Domains SaaS ID
Description
Name of the appliance that you are optimizing applications for. Select this check box to enable SaaS Optimization. If Advertise is selected for a service (for example, SFDC), the appliance will:
Ping active SaaS subnets to determine RTT/metric
Add subnet sharing entries locally for subnets within RTT threshold
Advertise subnets and their metric (within threshold) via subnet sharing to client-side appliances
Upon seeing an SFDC flow, generate a substitute certificate for an SFDC SSL domain (one substitute certificate per domain)
Auto-generate dynamic NAT rules for SFDC (but not for unchecked services) Amount of time (in ms) allotted that specifies how o en Orchestrator will recalculate the Round Trip Time for the enabled applications.
NOTE: You might want to set a higher RTT Threshold value to see a broader scope of reachable data servers for any given SaaS application. As best practice, production RTT Threshold values should not exceed ms. Domain names where the SaaS is applied. Unique identifier assigned to the SaaS application (for use in SaaS Optimization).
For more detailed information about SaaS optimization, navigate to the SaaS Optimization template.
Application Definitions
Configuration > Templates & Policies > Applications & SaaS > Application Definitions This tab provides application visibility and control. You can search to determine whether a definition exists for a specific application and, if so, how it is defined.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Orchestrator uses the following eight dimensions to identify and define applications: · IP Protocol · UDP Port · TCP Port · Domain Name · Address Map (Formerly known as IP Intelligence). Given a range of IP addresses, the Address Map reveals the organization that owns the segment, along with the country of origin. · DPI Deep Packet Inspection. An expanded list of Orchestrator legacy built-in applications. · Compound Created by user from multiple criteria. · SaaS Created by user. If any components of the definition change, the user must manually update the definition.
You can use any of these dimensions to define a new application, and you can modify or disable an existing application. Orchestrator automatically checks the Cloud Portal for updated application definitions every hours by default (Auto update set to ON). Application definition data on the Cloud Portal is updated generally once per month. If new definitions are discovered, Orchestrator downloads the data, merges it with the applications, and pushes the changes to appliances in the network. You can also force an update at any time by clicking the Update Now button.
Application Groups Tab
Configuration > Templates & Policies > Applications & SaaS > Application Groups Application groups associate applications into a common group you can use as a MATCH criteria. The applications can be built-in, user-defined, or a combination of both.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· The Group Name cannot be blank. · Group names are case-insensitive. · An application group cannot contain another application group. · A group name followed by * indicates a group defined by a user. · You cannot change the name of a group provided by Orchestrator, but you can modify the
applications those groups contain. NOTE: To avoid performance issues, it is strongly recommended that you assign an application to no more than three groups.
Threshold Crossing Alerts Tab
Configuration > Templates & Policies > TCAs > Threshold Crossing Alerts Threshold Crossing Alerts (TCAs) are pre-emptive, configurable alarms triggered when specific thresholds are crossed.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
The alerts are triggered with rising and falling threshold crossing events (that is, floor and ceiling levels). For both levels, one value raises the alarm while another value clears it.
· When you configure appliance and tunnel TCAs with an Orchestrator template, all alerts apply globally, so all of an appliance's tunnels have the same alerts.
· To create a tunnel-specific alert, navigate to Configuration > Networking > Tunnels> Tunnels, select the tunnel, click the edit icon to access the tunnel directly, and then click the icon in the Alert Options column. Make your changes, and then click OK.
· To view globally applied system and tunnel alerts, click System. · To view alerts that are specific to an individual tunnel, click Tunnel. Times to Trigger A value of triggers an alarm on the first threshold crossing instance.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
ON D · Appliance Capacity Triggers when an appliance reaches % of its total flow capacity. It is not configurable and can be cleared only by an operator. · File-system utilization Percent of non-Network Memory disk space filled by the appliance. This TCA cannot be disabled. · Tunnel latency Measured in milliseconds, the maximum latency of a one-second sample within a -second span.
OFF D · LAN-side receive throughput Based on a one-minute average, the LAN-side receive TOTAL for all interfaces. · WAN-side transmit throughput Based on a one-minute average, the WAN-side transmit TOTAL for all interfaces. · TCAs based on an end-of-minute count: Total number of flows Total number of optimized flows · TCAs based on a one-minute average: Tunnel loss post-FEC Tunnel loss post-FEC Tunnel OOP post-POC Tunnel OOP post-POC Tunnel reduction Tunnel utilization (based on percent of configured maximum [system] bandwidth)
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Threshold Crossing Alerts Edit Row
Click any cell in the table to edit and configure the Threshold Crossing Alerts. This table lists the defaults of each type of threshold crossing alert:
TCA Name
Default [ON or OFF]
Default Values [Rising Raise; Rising Clear; Falling Raise; Falling Clear]
allow rising
Appliance Level
WAN-side transmit
OFF
throughput
LAN-side receive
OFF
throughput
Total number of
OFF
optimized flows
Total number of flows
OFF
Gbps; Gbps; ; Gbps; Gbps; ;
, , , ;; , , , ;;
File-system-utilization
ON (cannot be disabled)
%; %; %; %
Tunnel Level
Tunnel latency
ON
; ;;
Tunnel loss pre-FEC
OFF
%; %; %; %
Tunnel loss post-FEC
OFF
%; %; %; %
Tunnel OOP pre-POC
OFF
%; %; %; %
Tunnel OOP post-POC
OFF
%; %; %; %
Tunnel utilization
OFF
%; %; %; %
Tunnel reduction
OFF
%; %; %; %
allow falling
IP SLA Tab
Configuration > Templates & Policies > TCAs > IP SLA
Using a polling process, IP SLA (Internet Protocol Service Level Agreement) tracking provides the ability to generate specific actions in the network that are completely dependent on the state of an IP interface or tunnel. The goal is to prevent black-holed tra ic. For example, associated IP subnets could be removed from the subnet table, and also from subnet sharing, if the LAN-side interfaces on an appliance go down.
This tab displays all of the IP SLA rules configured on the selected appliances. To add or modify rules, click the edit icon to the le of any row in the table.
IP SLA M
UC
The following examples describe five basic use cases for IP SLA monitoring.
Example # Ping via Interface
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· Two passthrough tunnels configured for Internet breakout and High Availability.
· If the Primary passthrough tunnel goes down, tra ic goes to Backup tunnel.
· The IP SLA Rule would look like this, with the same tunnel specified for the Down and Up Actions.
Example # HTTP/HTTPS via Interface Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· Two passthrough tunnels configured for Internet breakout and High Availability.
· If the Primary passthrough tunnel goes down, tra ic goes to Backup tunnel.
· The IP SLA Rule would look like this, with the same tunnel specified for the Down and Up Actions.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· In the URL(s) field, the protocol identifier is required only when specifying HTTPS, as in __https://__www.google.com.
Example # Monitor Interface (LAN )
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· On EdgeConnect - A, we want subnet advertising to be conditional on LAN being up.
· Its IP SLA Rule would look like this, with the Default Subnet Action being to resume advertising subnets.
Example # Monitor Interface (WAN ) to Ensure High Availability
· If WAN goes down on the VRRP Master, we want to decrease its Priority so that tra ic goes to the VRRP Backup.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· Its IP SLA Rule would look like this, with the Default Subnet Action being to revert to the original Priority.
NOTE: In this instance, the WAN interface was given the label MPLS to match the service to which it connected. Example # Monitor VRRP
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· To monitor the VRRP router state, use VRRP Monitor and specify the interface on which the VRRP instance is configured.
In this example, it is LAN .
· Here we are looking at an instance where the VRRP role changes, but priority does not, for whatever reason.
· Its IP SLA Rule would look like this, with the Default Subnet Action being to revert to the original Priority.
NOTE: In this instance, the WAN interface was given the label MPLS to match the service to which it connected. · Another option would be to specify Down Action = Modify Subnet Metric. The Web UI automatically produces another field in which you can add a positive value to the current subnet metric. Up Action = Default Subnet Action would return the subnet metric to its original value.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
IP SLA Edit Row
Use this dialog box to set rules to your IP SLA. Define the Monitor and Actions by completing the following steps.
M
There are four options to choose from for a Monitor:
Option
Interface Ping HTTP/HTTPS VRRP Monitor
Description
Monitors the operational status of a specific local interface. Monitors the reachability of a specific IPv address. Monitors the reachability of an HTTP/HTTPS endpoint. Monitors the VRRP router state (TRUE if Master; FALSE if Backup) for a VRRP instance(s) on an interface.
Based on the Monitor chosen, the Web UI displays the appropriate fields and options.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
A
There are eight available Down Actions:
Down Action Remove Auto Subnet Increase VRRP Priority Decrease VRRP Priority Enable Tunnel Disable Tunnel
Disable Subnet Sharing Modify Subnet Metric Advertise Subnets
Description
Remove from the subnet table an auto subnet for a port (including all VLAN and subinterface subnets). Increase the configured VRRP router priority by a delta amount.
Decrease the configured VRRP router priority by a delta amount.
Enable a passthrough (internet breakout) tunnel Up for IP Tracking (SLA) purposes. Disable a passthrough (internet breakout) tunnel Up for IP Tracking (SLA) purposes. The tunnel no longer can be used for load balancing purposes (when load balancing tra ic between multiple passthrough tunnels), although it still can be used as a last resort for tra ic forwarding. Disable subnet sharing of subnets to other EdgeConnect peers on the appliance. Add a metric delta to the metric of all subnets shared with EdgeConnect peers. Advertise subnets to EdgeConnect peers.
There are two default Up Actions:
Up Action Default Subnet Action
VRRP Default
Description
This reverts whatever was the Down Action back to the normal state. Examples:
If Down Action = Disable Subnet Sharing, the Up Action re-enables Subnet Sharing.
If Down Action = Remove Auto Subnets, the Up Action re-adds the auto subnet.
If Down Action = Modify Subnet Metric, the Up Action restores subnet metrics to their original values. Reverts the VRRP priority back to the configured value.
NOTE: If a default Up Action is used, it must match the Down Action.
Configuration > Templates
The options under Configuration > Templates focus on setting up a variety of templates that you can apply to various aspects of Orchestrator and applying template groups.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Templates Overview
Use templates to manage and assign common configuration parameters to appliances. CAUTION: A er saving, templates are applied automatically and replace all settings on an appliance with those configured in the template. Some templates support a MERGE option. Refer to the Help for more information.
· You can edit only a template that appears under Active Templates. · Click Show All > to view available templates that are not part of the selected template group. · To add a template to Active Templates, double-click it or drag it from Available Templates. · Click a template under Active Templates to modify it. · To save the current Active Templates as a new template group, click Save As.
Template Groups
A Template Group contains one or more templates you can assign to some or all of the appliances in your network.
· To create a template group, click +Add below the template group drop-down list. · When you apply a template group to an appliance, Orchestrator automatically keeps the tem-
plates in the group in sync with the appliance. · To apply template groups, click Apply Template Groups at the bottom of the page. This will
bring you to the Apply Templates tab where you can permanently associate appliances with specific template groups. · When returning to the Templates page, Orchestrator displays the last template group viewed.
System Template
Use this template to configure system-level features. Optimization
Field IP ID auto optimization
TCP auto optimization
Description
Enables any IP flow to automatically identify the outbound tunnel and gain optimization benefits. Enabling this option reduces the number of required static routing rules (route map policies). Enables any TCP flow to automatically identify the outbound tunnel and gain optimization benefits. Enabling this option reduces the number of required static routing rules (route map policies).
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Flows and tunnel failure
Description
If there are parallel tunnels and one fails, __*Dynamic Path Control__* determines where to send the flows. There are three options:
fail-stick When the failed tunnel comes back up, the flows do not return to the original tunnel. They stay where they are.
fail-back When the failed tunnel comes back up, the flows return to the original tunnel.
disable When the original tunnel fails, the flows are not routed to another tunnel.
Network Memory
Field Encrypt data on disk
Description
Enables encryption of all the cached data on the disks. Disabling this option is not recommended.
Excess Flow Handling
Field Excess flow policy
Description
Specifies what happens to flows when the appliance reaches its maximum capacity for optimizing flows. The default is to bypass flows. Or, you can choose to drop the packets.
NextHop Health Check
Field Enable Health check Retry count
Interval Hold down count
Description
Activates pinging of the next hop router. Specifies the number of ICMP echoes to send without receiving a reply before declaring that the link to the WAN next hop router is down. Specifies the number of seconds between each ICMP echo sent. If the link has been declared down, this specifies how many successful ICMP echoes are required before declaring that the link to the next hop router is up.
Miscellaneous
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field SSL optimization for non-IPSec tunnels
Bridge Loop Test
Always send pass-through tra ic to original sender Enable default DNS lookup Enable HTTP/HTTPS snooping
Quiescent tunnel keep alive time UDP flow timeout Non-accelerated TCP Flow Timeout Maximum TCP MSS
NAT-T keep alive time Tunnel Alarm Aggregation Threshold Maintain end-to-end overlay mapping IP Directed Broadcast
Description
Specifies whether the appliance should perform SSL optimization when the outbound tunnel for SSL packets is not encrypted (for example, a GRE or UDP tunnel). To enable Network Memory for encrypted SSL-based applications, you must provision server certificates by using the Orchestrator. This activity can apply to the entire distributed network of EdgeConnect appliances or just to a specified group of appliances.
Only valid for virtual appliances. When enabled, the appliance can detect bridge loops. If it detects a loop, the appliance stops forwarding tra ic and raises an alarm. Appliance alarms include recommended actions.
If the tunnel goes down when using WCCP and PBR, tra ic that was intended for the tunnel is sent back the way it came.
Enables the default DNS server to be included with other configured DNS servers for associating cloud portal domain names to network IP addresses.
Enables a more granular application classification of HTTP/HTTPS tra ic by inspection of the HTTP/HTTPS header, Host. This is enabled by default.
Specifies the rate at which to send keep alive packets a er a tunnel has become idle (quiescent mode). The default is seconds.
Specifies how long to keep the UDP session open a er tra ic stops flowing. The default is seconds ( minutes).
Specifies how long to keep the TCP session open a er tra ic stops flowing. The default is seconds ( minutes).
Maximum Segment Size. The default value is bytes. This ensures that packets are not dropped for being too large. You can adjust the value ( to
) to lower a packet's MSS.
If a device is behind a NAT, this specifies the rate at which to send keep alive packets between hosts to keep the mappings in the NAT device intact.
Specifies the number of alarms to allow before alerting the tunnel alarm.
Enforces the same overlay to be used end-to-end when tra ic is forwarded on multiple nodes.
Allows an entire network to receive data that only the target subnet initially receives.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
Field Allow WAN to WAN routing
January ,
Description Redirects inbound LAN tra ic back to the WAN.
Auth/Radius/TACACS+ Template
EdgeConnect appliances support user authentication and authorization as a condition of providing access rights.
· Authentication is the process of validating that the end user, or a device, is who they claim to be.
· Authorization is the action of determining what a user is allowed to do. Generally, authentication precedes authorization.
· Map order refers to the order in which the authorization servers are queried.
· The configuration specified for authentication and authorization applies globally to all users accessing that appliance.
· If a logged-in user is inactive for an interval that exceeds the inactivity time-out, the appliance logs them out and returns them to the login page. You can change that value, as well as the maximum number of sessions, in the Session Management template.
A
A
To provide authentication and authorization services, EdgeConnect appliances:
· Support a built-in, local database. · Can be linked to a RADIUS (Remote Authentication Dial-In User Service) server. · Can be linked to a TACACS+ (Terminal Access Controller Access Control System) server.
Both RADIUS and TACACS+ are client-server protocols.
A
-
UD
· The local, built-in user database supports user names, groups, and passwords.
· The two user groups are admin and monitor. You must associate each user name with one or the other. Neither group can be modified or deleted.
· The monitor group supports reading and monitoring of all data, in addition to performing all actions. This is equivalent to the Command Line Interface's (CLI) __*enable__* mode privileges.
· The admin group supports full privileges, along with permission to add, modify, and delete. This is equivalent to the Command Line Interface's (CLI) __*configuration__* mode privileges.
RADIUS
· RADIUS uses UDP as its transport.
· With RADIUS, the authentication and authorization functions are coupled together.
· RADIUS authentication requests must be accompanied by a shared secret. The shared secret must be the same as defined in the RADIUS setup. Refer to your RADIUS documentation for details.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· IMPORTANT: Configure your RADIUS server's __*priv levels__* within the following ranges: admin = monitor = -
TACACS+
· TACACS+ uses TCP as its transport. · TACACS+ provides separated authentication, authorization, and accounting services. · Transactions between the TACACS+ client and TACACS+ servers are also authenticated through
the use of a shared secret. Refer to your TACACS+ documentation for details. · IMPORTANT: Configure your TACACS+ server's roles to be admin and monitor.
W IR
· Use either RADIUS or TACACS+, but not both. · For Authentication Order, configure the following:
First Remote first. Second Local. If not using either, then None. Third None. · When using RADIUS or TACACS+ to authenticate users, configure Authorization Information as follows: Map Order Remote First Default Role admin
Flow Export Template
You can configure your appliance to export statistical data to NetFlow and IPFIX collectors.
· The appliance exports flows against two virtual interfaces--sp_lan and sp_wan--that accumulate the total of LANside and WANside tra ic, regardless of physical interface.
· These interfaces appear in SNMP and are, therefore, "discoverable" by NetFlow and IPFIX collectors.
· Enable Flow Exporting allows the appliance to export the data to collectors (and makes the configuration fields accessible).
· The Collector's IP Address is the IP address of the device to which you are exporting the NetFlow/IPFIX statistics. The default Collector Port is .
· In Tra ic Type, you can select as many of the tra ic types as you want. The default is WAN TX.
Logging Template
Use this template to configure local and remote logging parameters. Each requires that you specify the minimum severity level of event to log.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· Set up local logging in the Log Configuration section.
· Set up remote logging by using the Log Facilities Configuration and Remote Log Receivers sections.
M
S
L
In decreasing order of severity, the levels are as follows.
Severity Level __EMER__GENCY ALERT
__CRIT__ICAL __ERR__OR WARNING
NOTICE
__INFO__RMATIONAL DEBUG
Description
System is unusable. Includes all alarms the appliance generates: CRITICAL, MAJOR, MINOR, and WARNING. Critical event. An error. This is a non-urgent failure. A warning condition. Indicates an error will occur if action is not taken. A normal, but significant, condition. No immediate action required. Informational. Used by Silver Peak for debugging. Used by Support for debugging.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Severity Level NONE
Description If you select NONE, no events are logged.
· The bolded part of the name is what displays in the log files.
· If you select NOTICE (the default), the log records any event with a severity of NOTICE, WARNING, ERROR, CRITICAL, ALERT, and EMERGENCY.
· These are purely related to event logging levels, not alarm severities, even though some naming conventions overlap. Events and alarms have di erent sources. Alarms, a er they clear, list as the ALERT level in the Event Log.
C
R
L
· You can configure the appliance to forward all events, at and above a specified severity, to a remote syslog server.
· A syslog server is independently configured for the minimum severity level that it will accept. Without reconfiguring, it might not accept as low a severity level as you are forwarding to it.
· In the Log Facilities Configuration section, assign each message/event type (System / Audit / Flow) to a syslog facility level (local to local ).
· For each remote syslog server that you add to receive the events, specify the receiver's IP address, along with the messages' minimum severity level and facility level.
Banner Messages Template
· The Login Message appears before the login prompt. · The Message of the Day appears a er a successful login.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
HTTPS Certificate Template
The VXOA so ware includes a self-signed certificate that secures the communication between the user's browser and the appliance. You also have the option to install your own custom certificate, acquired from a CA certificate authority.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
To use a custom certificate with a specific appliance: . Consult with your IT security team to generate a certificate signing request (CSR), and submit it to your organization's chosen SSL Certificate Authority (CA). Examples of Certificate Authorities include GoDaddy, Verisign, Comodo, Symantec, Microso Entrust, GeoTrust, and so forth. · For a list of what is supported, refer to EdgeConnect and Orchestrator Security Algorithms. · All certificate and key files must be in PEM format. . A er the Certificate Authority provides a CA-verified certificate: · If your IT security team advises the use of an Intermediate CA, use an Intermediate Certificate File. Otherwise, skip this file. · Load the Certificate File from the CA. · Upload the Private Key File that was generated as part of the CSR. . To associate the CA verified certificate for use with Orchestrator, click Add.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
User Management Template
Use this tab to manage the default users and, if desired, require a password with the highest user privilege level when using the Command Line Interface.
D
UA
· Each appliance has two default user accounts, admin and monitor, that cannot be deleted. · You can, however, assign a new password to either one and apply it to any appliances you want.
C
LI
P
· The Command Line Interface (CLI) for physical EdgeConnect appliances has three command modes. In order of increasing permissions, they are User EXEC Mode, Privileged EXEC Mode, and Global Configuration Mode.
· When you first log in to an EdgeConnect appliance via a console port, you are in User EXEC Mode. This provides access to commands for many non-configuration tasks, such as checking the appliance status.
· To access the next level, Privileged EXEC Mode, you would enter the enable command. With this template, you can choose to associate and enforce a password with the enable command.
DNS Template
A Domain Name Server (DNS) stores the IP addresses with their associated domain names. It enables you to reference locations by domain name, such as mycompany.com, instead of using the routable IP address.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· You can configure up to three name servers. · Under Domain Names, add the network domains to which your appliances belong.
Date/Time Setting
Configure an appliance's date and time manually, or complete the following steps to configure it to use an NTP (Network Time Protocol) server.
. From the Time Zone list, select the appliance's geographical location. . If you select Manual, the appliance is matched to your web client system when the template is
applied. This eliminates the delay between configuring time manually and applying the template. . To use an NTP server, select NTP Time Synchronization and complete the following steps.
. Click Add. . Enter the IP address or host name of the server. . Select the version of NTP protocol to use.
NOTE: The server is selected in the order listed when you list more than one NTP server.
DC
· Orchestrator collects and puts all statistics in its own database in Coordinated Universal Time (UTC).
· When a user views statistics, the appliance (or Orchestrator server) returning the statistics always presents the information relative to the browser time zone.
SNMP Template
EdgeConnect appliances support Management Information Base (MIB-II) as described in RFC for cold start traps, warm start traps, and EdgeConnect private MIBs. Appliances issue an SNMP trap during reset when loading a new image, recovering from a crash, or rebooting. An appliance sends a trap every time an alarm is raised or cleared. Traps contain additional information about alarms, including severity, sequence number, a text-based description of the alarm, and the time the alarm was created. For more information, you can download a .zip archive containing supported MIBs here. Use this page to configure the appliance's SNMP agent and trap receivers.
. Select the Enable SNMP check box to activate configuration options for SNMP v /v , SNMP v , and Trap Receivers details.
. If you select the Enable SNMP Traps check box, the SNMP agent on the appliance sends traps to configured receivers.
. Use the Default Trap Community field to specify the string the trap receiver uses to accept traps being sent to it. The default value is public. You can modify this value.
SNMP /
Configure the following fields for SNMP v and v c.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Enable SNMP Read-Only Community
Description
Allows the SNMP agent on the appliance to send traps to configured receivers. The SNMP application needs to present this text string (secret) to poll the appliance's SNMP agent. The default value is public. You can modify this value.
SNMP
For additional security, configure SNMP v if you want to authenticate without using clear text. To add an SNMP v user, click Add above the SNMP v table and configure the following properties:
Field Enabled Username Authentication Type
Authentication Password
Privacy Type
Privacy Password
Description
Select this check box to enable the selected user. Clear this check box to disable the user and maintain the configuration. Enter the username to identify the SNMP v user. Select the authentication type to use for SNMP requests from the user.
NOTE: Authentication type is required and SHA- is the only supported algorithm. Enter a password that the SNMP agent can use to authenticate requests sent by the user.
NOTE: The password must be at least characters long. Select the encryption type to use for encrypting requests from the SNMP user.
NOTE: Encryption is required, and AES- is the only supported algorithm. Enter a password (key) to use for encrypting requests sent by the user.
NOTE: The password must be at least characters long.
NOTE: To delete an SNMP v user, click the X to the right of the entry in the table.
TR To configure a trap receiver, click Add above the Trap Receivers table and configure the following properties: NOTE: You can configure up to three trap receivers per appliance.
Field
Host Version
Description
IP address of the host where traps should be sent. Select the SNMP version of the trap receiver.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Community/Username
Description
For v and v c, enter the community string the receiver should use to accept traps. If le blank, the default community string (public) is used. If a di erent community string is configured on the trap receiver, enter it here.
Enabled
For v , specify the SNMP v user that is sending traps to the receiver.
Select this check box to enable the receiver. Clear this check box to disable the receiver and maintain the configuration.
NOTE: To delete a receiver, click the X to the right of the entry in the table.
SSL Certificates Template
Use this page for SSL Certificates when the server is __*part of your enterprise network__* and and has its own enterprise SSL certificates and key pairs. NOTE: To decrypt SSL for SaaS (cloud-based) services, use the SSL for SaaS template.
EdgeConnect provides deduplication for Secure Socket Layer (SSL) encrypted WAN tra ic by supporting the use of SSL certificates and other keys:
· EdgeConnect decrypts SSL data using the configured certificates and keys, optimizes the data, and transmits data over an IPSec tunnel. The peer EdgeConnect appliance uses configured SSL certificates to re-encrypt data before transmitting.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· Peers that exchange and optimize SSL tra ic must use the same certificate and key. · Use this template to provision a certificate and its associated key across multiple appliances.
You can add either a PFX certificate (generally, for Microso servers) or a PEM certificate. The default is PEM when PFX Certificate File is deselected. If the key file has an encrypted key, enter the passphrase needed to decrypt it.
· Before installing the certificates, you must do the following:
Configure the tunnels bilaterally for IPSec (or IPSec UDP) mode. To do so, access the Configuration > Networking > Tunnels > Tunnels page, select the tunnel, and for Mode, select IPSec.
Verify that TCP acceleration and SSL acceleration are enabled. To do so, access the Configuration > Templates & Policies > Optimization Policies page, and then review the Set Actions.
· If you choose to be able to decrypt the flow, optimize it, and send it in the clear between appliances, access the System template and select SSL optimization for non-IPSec tunnels.
TIP: For a historical matrix of EdgeConnect and Orchestrator security algorithms, click here.
SSL CA Certificates Template
If the enterprise certificate you used for signing substitute certificates is subordinate to higher level Certificate Authorities (CA), you must add those CA certificates here. If the browser cannot validate up the chain to the root CA, it will warn you that it cannot trust the certificate.
TIP: For a historical matrix of EdgeConnect and Orchestrator security algorithms, click here. Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
SSL for SaaS Template
To fully compress SSL tra ic for a SaaS service, the appliance must decrypt it and then re-encrypt it. To do so, the appliance generates a substitute certificate that then must be signed by a Certificate Authority (CA).
There are two possible signers:
· For a Built-In CA Certificate, the signing authority is Silver Peak.
The appliance generates it locally, and each certificate is unique. This is an ideal option for Proof of Concept (POC) and when compliance is not a big concern.
To avoid browser warnings, follow up by importing the certificate into the browser from the client-side appliance.
· For a Custom CA Certificate, the signing authority is the Enterprise CA.
If you already have a subordinate CA certificate (for example, an SSL proxy), you can upload it to Orchestrator and push it out to the appliances. If you need a copy of it later, just download it from here.
If this substitute certificate is subordinate to a root CA certificate, also install the higherlevel SSL CA certificates (into the SSL CA Certificates template) so that the browser can validate up the chain to the root CA.
If you do not already have a subordinate CA certificate, you can access any appliance's Configuration > Templates & Policies > Applications & SaaS > SaaS Optimization page and generate a Certificate Signing Request (CSR).
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
TIP: For a historical matrix of EdgeConnect and Orchestrator security algorithms, click here.
Tunnels Template
NOTE: If you are deploying an SD-WAN network, the Business Intent Overlays (BIOs) govern tunnel properties. In this case, you do not need this template.
__*If you are not creating overlays__*, use this template to assign and manage tunnel properties.
· Tunnel templates can be applied to any appliances (with or without tunnels). However, only existing tunnels can accept the template settings. To enable an appliance to apply these same settings to future tunnels, select Make these the Defaults for New Tunnels.
· To view, edit, and delete tunnels, use the Tunnels tab. The Mode selected determines the tabs that display.
Tunnels Template Settings
Field Admin state Auto discover MTU enabled Auto max BW enabled
DSCP
Description
Indicates whether the tunnel has been set to admin Up or Down. Allows an appliance to determine the best MTU to use. When enabled, allows the appliances to auto-negotiate the maximum tunnel bandwidth. Determines the DSCP marking that the keep-alive messages should use.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Fastfail Thresholds
Description
When multiple tunnels are carrying data between two appliances, this feature determines how quickly to disqualify a tunnel from carrying data.
The Fastfail connectivity detection algorithm for the wait time from receipt of last packet before declaring a __*brownout__* is:
Twait = Base + N * RTTavg
where Base is a value in milliseconds, and N is the multiplier of the average Round Trip Time over the past minute. For example, if:
Base = 200mS N=2
Then,
RTTavg = 50mS
The appliance declares a tunnel to be in __*brownout__* if it does not see a reply packet from the remote end within mS of receiving the most recent packet.
In the Tunnel Advanced Options, Base is expressed as Fastfail wait-time base o set (ms), and N is expressed as Fastfail RTT multiplication factor.
Fastfail enabled This option is triggered when a tunnel's keepalive signal does not receive a reply. The options are disable, enable, and continuous. If the disqualified tunnel subsequently receives a keepalive reply, its recovery is instantaneous.
If set to disable, keepalives are sent every second, and seconds elapse before failover. In that time, all transmitted data is lost.
If set to enable, keepalives are sent every second, and a missed reply increases the rate at which keepalives are sent from one per second to ten per second. Failover occurs a er one second.
When set to continuous, keepalives are continuously sent at ten per second. Therefore, failover occurs a er one tenth of a second.
Thresholds for Latency, Loss, or Jitter are checked once every second.
Receiving three successive measurements in a row that exceed the threshold puts the tunnel into a brownout situation and flows will attempt to fail over to another tunnel within the next mS.
Receiving three successive measurements in a row that drop below the threshold will drop the tunnel out of brownout.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field FEC FEC ratio IPSec anti-replay window
IPSec pre-shared key Mode MTU
Reorder wait
Retry count UDP destination port UDP flows
Description
(Forward Error Correction) can be set to enable, disable, or auto.
Is an option when FEC is set to auto that specifies the maximum ratio. The options are : , : , : , or : .
Select a size from the drop-down list or Disable to disable the IPSec anti-replay window. If a size is selected, protection is provided against an attacker duplicating encrypted packets by assigning a unique sequence number to each encrypted packet.
A shared, secret string of Unicode characters that is used for authentication of an IPSec connection between two parties.
Indicates whether the tunnel protocol is udp, gre, or ipsec.
Maximum Transmission Unit (MTU) is the largest possible unit of data that can be sent on a given physical medium. For example, the MTU of Ethernet is bytes. MTUs up to bytes are supported. Auto allows the tunnel MTU to be discovered automatically, and it overrides the MTU setting.
Maximum time (in ms) the appliance holds an out-of-order packet when attempting to reorder. The ms default value should be adequate for most situations. FEC can introduce out-of-order packets if the reorder wait time is not set high enough.
Number of failed keep-alive messages that are allowed before the appliance brings the tunnel down.
Used in UDP mode. Accept the default value unless the port is blocked by a firewall.
Used in UDP mode. Number of flows over which to distribute tunnel data. Accept the default.
VRRP Template
Use this template to distribute common parameters for appliances deployed with Virtual Router Redundancy Protocol (VRRP).
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
In an out-of-path deployment, one method for redirecting tra ic to the EdgeConnect appliance is to configure VRRP on a common virtual interface. Possible scenarios are:
· When no spare router port is available, a single appliance uses VRRP to peer with a router (or Layer switch). This is appropriate for an out-of-path deployment in which no redundancy is needed.
· A pair of active, redundant appliances use VRRP to share a common, virtual IP address at their site. This deployment assigns one appliance a higher priority than the other, thereby making it the Master appliance, and the other the Backup.
Field
Admin Advertisement Timer Authentication String
Description
Options are up (enable) and down (disable). Default is second. Clear text password for authenticating group members.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Preemption
Priority
Description
Leave this selected/enabled so that a er a failure, the appliance with the highest priority comes back online and again assumes primary responsibility. The greater the number, the higher the priority. The appliance with the higher priority is the VRRP Master.
Peer Priority Template
When an appliance receives a Subnet with the same Metric from multiple remote/peer appliances, it uses the Peer Priority list as a tie-breaker.
· If a Peer Priority is not configured, the appliance randomly distributes flows among multiple peers.
· The lower the number, the higher the peer's priority.
NOTE: This feature requires appliance so ware . . . or higher for version releases, and requires . . . or higher for version releases.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Route Redistribution Maps Template
To use this template, you must have your route maps configured for either SD-WAN, BGP, and OSPF. See the Routes tab for more details about the configuration and defining rules for your route maps.
Merge and Replace
If you select Merge, new maps are added to the existing maps. If the map already exists, the new map will match appliance rules in the orchestrator range. If the configured rules do not match, the new map's rules are appended to the existing rules. Replace will take the new maps and replace all existing maps and not include the rules that match outside of the configured range.
To redistribute a route map:
. Select the direction of tra ic you want to redistribute your routes to: SD-WAN Fabric, BGP Inbound and Outbound, and OSPF.
. When selected, click Add Map.
. Enter a Map Name, and then click Add.
. Select Add Rule. The Add Rule window opens.
In this window, you define the rules applied to your route map, which includes the Match Criteria and the Set Actions. Each route map has a match command and set command. The match command verifies the attributes of the original route the protocol supports. The set command modifies information that is redistributed into the target protocol.
NOTE: You can apply rules per map.
. Click Add.
Routes Template
Use the following settings to apply subnet sharing configuration to appliances associated with this template group. Subnet sharing is the protocol used to exchange routes between EdgeConnect appliances across the SD-WAN fabric.
· Automatically advertise to local LAN subnets: The appliance will advertise LAN and virtual interface subnets to SD-WAN fabric peers.
· Automatically advertised local WAN subnets: The appliance will advertise WAN interface subnets to SD-WAN fabric peers.
· Redistribute learned BGP routes to Silver Peak Peers: Advertise BGP routes that your appliance has learned to EdgeConnect peers.
Enter specific values for the following:
Field
Metric for automatically added routes Route Map name to Redistribute route to SD-WAN Fabric Include BGP Local ASN to routes sent to SD-WAN Fabric
Description
(default value). Name of the route map being redistributed to the SD-WAN. Select Don't Apply, Yes, or No.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field
Filter Routes From SD-WAN Fabric with Matching Local ASN Tag BGP communities to routes
Description Select Don't Apply, Yes, or No.
Send the specified communities with routes that are advertised to both SD-WAN fabric peers and BGP peers, if the routes are learned from any of the following source protocols:
Local/Static
SD-WAN (Local/Static)
SD-WAN (BGP)
SD-WAN (OSPF)
Select Don't Apply, Yes, or No.
If you select Yes, enter the BGP communities you want to be tagged in the field.
NOTE: A community must be a combination of
two numbers ( to
) separated by a colon.
For multiple communities, use a comma to
separate them.
NOTE: If you select Don't apply, Orchestrator ignores this field when applying this template to appliances.
BGP Template
Use the BGP template to apply BGP configurations per segment to all appliances in the SD-WAN fabric. . Click the edit icon next to the segment for which you want to modify the configuration. . Configure the following elements as needed:
Field AS Path Propagate
Graceful Restart
Description
Select Yes to enable this appliance to send the full AS path associated with a prefix to other routers and appliances, avoiding routing loops. This will provide the learned path from an external prepend between a remote BGP site to local BGP peers.
Select Yes to enable receiver-side graceful restart capability. EdgeConnect retains routes learned from the peer and continues to use it for forwarding (if possible) if/when a BGP peer goes down. Retained routes are considered stale routes. They will be deleted and replaced when new routes are received.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Max Restart Time
Stale Path Time
Next-Hop-Self Keep Alive Timer Hold Timer Enable MD Password Password / Confirm Password
Description
If Graceful Restart is enabled, specifies the maximum time in seconds to wait for a capable peer to come back a er a restart or peer session failure.
If Graceful Restart is enabled, specifies the maximum time in seconds following a peer restart before removing stale routes associated with a peer.
Advertised route connected to a CE router that an EdgeConnect appliance learns from a PE router.
This is the interval, in seconds, between keep alive signals to a peer.
When availability to a peer is lost, this value specifies how long to wait before dropping the session.
If applied, adds a password to authenticate TCP sessions with peers.
If the MD password is enabled, use these fields to specify the password.
. Click Update.
OSPF Template
Use the OSPF template to apply OSPF configurations per segment to all appliances in the SD-WAN fabric.
. Click the edit icon next to the segment for which you want to modify the configuration. . Configure the following elements as needed:
Field Enable OSPF
Route Map name to Redistribute routes to OSPF
Description
indicates whether the segment can access OSPF protocol. If you select Don't apply, Orchestrator ignores this field when applying this template to appliances. Name of the route map being redistributed to the SD-WAN.
The OSPF template is used in conjunction with the Route Redistribution Maps template. OSPF route maps are configured in the Route Redistribution Maps template, and then applied in the OSPF template. The default OSPF route map name is "default_rtmap_to_ospf".
NOTE: Leave this field blank to preserve the current setting on the appliance.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Admin Status Hello Interval Dead Interval Transmit Delay Retransmit Interval Authentication Type
Authentication Key MD Key MD Password / MD Confirm Password
Description
Indicates whether the interface admin status is up or down. If you select Don't apply, Orchestrator ignores this field when applying this template to appliances.
Length of time (in seconds) that must transpire between hello packets that a router sends on an OSPF interface.
Length of time (in seconds) that must transpire before neighbors that have not detected a router's hello packets can declare the OSPF router down.
Length of time (in seconds) that must transpire before
transmitting a link state update packet. Specify a value
from to
.
Length of time (in seconds) that a router that has received no acknowledgment must wait before resending transmissions.
Type of authentication to use for requests. Select one of the following drop-down list options:
Don't apply Orchestrator ignores this field when applying this template to appliances.
None Authentication not performed.
Text Simple password authentication, which allows a key (password) to be configured per area.
MD Message Digest cryptographic authentication. A key ID and key (password) are configured on each router. The router uses an algorithm based on the OSPF packet, the key ID, and the key to generate a message digest that gets appended to the packet.
Key (password) to use for authentication of requests. This field is available only if Authentication Type is set to Text.
Key ID to use for MD authentication of requests. This field is available only if Authentication Type is set to MD .
Password for the MD key. These fields are available only if Authentication Type is set to MD . Specify and confirm the password.
. Click Update.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Admin Distance Template
This table shows values associated with various types of Admin Distance. Admin Distance (AD) is the route preference value assigned to dynamic routes, static routes, and directly connected routes. When the appliance's Routes table has multiple routes to the same destination, the appliance uses the route with the lowest administrative distance.
Field Local
Subnet Shared - Static Routes Subnet Shared - BGP Remote Subnet Shared - OSPF Remote
BGP Branch (pre- . . . )
BGP Transit (pre- . . . )
EBGP (post- . . . )
BGP PE (pre- . . . )
OSPF IBGP (post- . . . )
Description
Manually configured route, or one learned from locally-connected subnets. Route learned from an EdgeConnect peer.
Route shared from an EdgeConnect peer in an external network.
Route shared from an EdgeConnect peer within the same network. Type of dynamic route learned from a local BGP branch peer before version . . . . Type of dynamic route learned from a local BGP branch-transit peer before version . . . . External BGP: exchanging routing information with a router outside the company-wide network a er version . . . . Type of dynamic route learned from a local BGP PE (Provider Edge) router before version . . . . Route learned from an OSPF (Open Shortest Path First) neighbor.
Internal BGP: exchanging routing information with a router inside the company-wide network a er version . . . .
Access Lists Template
Use this page to create, modify, delete, and rename Access Control Lists (ACLs).
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
An ACL is a reusable MATCH criteria for filtering flows. It is associated with an action, permit or deny. You can use the same ACL as the MATCH condition in more than one policy: Route, QoS, Optimization, or NAT.
· An ACL consists of one or more ordered access control rules.
· An ACL only becomes active when it is used in a policy.
· Deny prevents further processing of the flow by that ACL, specifically. The appliance continues to the next entry in the policy.
· Permit allows the matching tra ic flow to proceed on to the policy entry's associated SET actions. The default is permit.
· When creating ACL rules, list deny statements first, and prioritize less restrictive rules ahead of more restrictive rules.
P
· With this template, you can create rules with a priority from . When the template is applied to an appliance, Orchestrator will delete all rules having a priority in that range before applying its policies.
· If you access an appliance directly, you can create rules with higher priority than Orchestrator
rules ( ) and rules with lower priority (
and
).
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
NOTE: The priority range from
to
is reserved for Orchestrator.
· When adding a rule, the priority is incremented by ten from the previous rule. The priority can be changed, but this default behavior helps to ensure you can insert new rules without having to change subsequent priorities.
MC
· To specify di erent criteria for inbound versus outbound tra ic, select the Source:Dest check box.
S
D
· An IP address can specify a subnet - for example: . . . / . · To allow any IP address, use . . . / . · Ports are available only for the protocols tcp, udp, and tcp/udp. · To allow any port, use .
W
-
PM
· When using a range or a wildcard, the IPv address must be specified in the -octet format, separated by the dot notation. For example, A.B.C.D.
· Range is specified using a dash. For example, - .
· Wildcard is specified as an asterisk (____*).
· Range and Wildcard can both be used in the same address, but an octet can only contain one or the other. For example, . - .*. - .
· A wildcard can only be used to define an entire octet. For example, . *.*. - is not supported. The correct way to specify this range is . - .*. - .
· The same rules apply to IPv addressing.
· CIDR notation and (Range or Wildcard) are mutually exclusive in the same address. For example, use either . . . / or . . . - .
· These prefix-matching rules only apply to the following policies: Router, QoS, Optimization, NAT, Security, and ACLs.
Route Policies Template
NOTE: If you have deployed an SD-WAN network by using Business Intent Overlays (BIO), Orchestrator uses BIOs to automatically create the necessary Route Policies. If you are creating a conventional WAN optimization network, there might be occasions when you need to directly configure Route Policies. Then, the following applies.
Only use the Route Policy template to create (and apply) rules for flows that are to be:
· Sent pass-through (shaped or unshaped) · Dropped · Configured for a specific high-availability deployment · Routed based on application, ports, VLAN, DSCP, or ACL (Access Control List)
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
You might also want to create a Route Policy entry when multiple tunnels exist to the remote peer, and you want the appliance to dynamically select the best path based on one of these criteria:
· Load balancing · Lowest loss · Lowest latency · A preferred interface · A specific tunnel
W?
Each appliance's default routing behavior is to auto-optimize all IP tra ic, automatically directing flows to the appropriate tunnel. Auto-optimization strategies reduce the need to create explicit route map entries for optimization. The three strategies provided are TCP-based auto-opt, IP-based auto-opt, and subnet sharing. By default, all three are enabled on the System template.
P
· With this template, you can create rules with a priority from . When the template is applied to an appliance, Orchestrator will delete all rules having a priority in that range before applying its policies.
· If you access an appliance directly, you can create rules with higher priority than Orchestrator
rules ( ) and rules with lower priority (
and
).
NOTE: The priority range from
to
is reserved for Orchestrator.
· When adding a rule, the priority is incremented by ten from the previous rule. The priority can be changed, but this default behavior helps to ensure you can insert new rules without having to change subsequent priorities.
MC
· These are universal across all policy maps--Route, QoS, Optimization, NAT (Network Address Translation), and Security.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· If you expect to use the same match criteria in di erent maps, you can create an ACL (Access Control List), which is a named, reusable set of rules. For e iciency, create them in Configuration > Templates & Policies > ACLs > Access Lists, and apply them across appliances.
· The available parameters are Application, Address Map (for sorting by country, IP address owner, or SaaS application), Domain, Geo Location, Interface, Protocol, DSCP, IP/Subnet, Port, and Tra ic Behavior.
· To specify di erent criteria for inbound versus outbound tra ic, select the Source:Dest check box.
S
D
· An IP address can specify a subnet; for example, . . . / (IPv ) or fe :: : :fed : ba / (IPv ).
· To allow any IP address, use . . . / (IPv ) or ::/ (IPv ). · Ports are available only for the protocols tcp, udp, and tcp/udp. · To allow any port, use .
W
-
PM
· When using a range or a wildcard, the IPv address must be specified in the -octet format, separated by the dot notation. For example, A.B.C.D.
· Range is specified using a dash. For example, - .
· Wildcard is specified as an asterisk (____*).
· Range and Wildcard can both be used in the same address, but an octet can only contain one or the other. For example, . - .*. - .
· A wildcard can only be used to define an entire octet. For example, . *.*. - is not supported. The correct way to specify this range is . - .*. - .
· The same rules apply to IPv addressing.
· CIDR notation and (Range or Wildcard) are mutually exclusive in the same address. For example, use either . . . / or . . . - .
· These prefix-matching rules only apply to the following policies: Router, QoS, Optimization, NAT, Security, and ACLs.
SA
F
The Route Policy template's SET actions determine where to direct tra ic and what the fallback is when a tunnel is down.
W
A
D
T
· In the Destination field, you specify how to characterize the flow. The options are a specific overlay, auto-optimized, pass-through [shaped], pass-through-unshaped, or __drop__ped.
· When auto-optimized, a flow is directed to the appropriate tunnel. If you choose, you can specify that the appliance use metrics to dynamically select the best path based on one of these criteria:
Load balancing Lowest loss
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Lowest latency
· When configuring the Route Policy for an individual appliance when multiple tunnels exist to the remote peer, you can also select the path based on a preferred interface or a specific tunnel. For further information, see the Appliance Manager Operator's Guide.
HT
IM
IT
ID
· The Fallback can be pass-through [shaped], pass-through-unshaped, or __drop__ped.
· When configuring the Route Policy for an individual appliance, the continue option is available if a specific tunnel is named in the Destination column. That option enables the appliance to read subsequent entries in the individual Route Policy in the event that the tunnel used in a previous entry goes down. For further information, see the Appliance Manager Operator's Guide.
QoS Policies Template
QoS Policy determines how flows are queued and marked. The QoS Policy's SET actions determine two things:
· What tra ic class a shaped flow--whether optimized or pass-through--is assigned · Whether to trust incoming DSCP markings for LAN QoS and WAN QoS, or to remark them as they
leave for the WAN Use the Shaper to define, prioritize, and name tra ic classes. Think of it as the Shaper defines and the QoS Policy assigns.
P
· With this template, you can create rules with a priority from . When the template is applied to an appliance, Orchestrator will delete all rules having a priority in that range before applying its policies.
· If you access an appliance directly, you can create rules with higher priority than Orchestrator
rules ( ) and rules with lower priority (
and
).
NOTE: The priority range from
to
is reserved for Orchestrator.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· When adding a rule, the priority is incremented by ten from the previous rule. The priority can be changed, but this default behavior helps to ensure you can insert new rules without having to change subsequent priorities.
MC
· These are universal across all policy maps--Route, QoS, Optimization, NAT (Network Address Translation), and Security.
· If you expect to use the same match criteria in di erent maps, you can create an ACL (Access Control List), which is a named, reusable set of rules. For e iciency, create them in Configuration > Templates & Policies > ACLs > Access Lists, and apply them across appliances.
· The available parameters are Application, Address Map (for sorting by country, IP address owner, or SaaS application), Domain, Geo Location, Interface, Protocol, DSCP, IP/Subnet, Port, and Tra ic Behavior.
· To specify di erent criteria for inbound versus outbound tra ic, select the Source:Dest check box.
S
D
· An IP address can specify a subnet; for example, . . . / (IPv ) or fe :: : :fed : ba / (IPv ).
· To allow any IP address, use . . . / (IPv ) or ::/ (IPv ). · Ports are available only for the protocols tcp, udp, and tcp/udp. · To allow any port, use .
W
-
PM
· When using a range or a wildcard, the IPv address must be specified in the -octet format, separated by the dot notation. For example, A.B.C.D.
· Range is specified using a dash. For example, - .
· Wildcard is specified as an asterisk (____*).
· Range and Wildcard can both be used in the same address, but an octet can only contain one or the other. For example, . - .*. - .
· A wildcard can only be used to define an entire octet. For example, . *.*. - is not supported. The correct way to specify this range is . - .*. - .
· The same rules apply to IPv addressing.
· CIDR notation and (Range or Wildcard) are mutually exclusive in the same address. For example, use either . . . / or . . . - .
· These prefix-matching rules only apply to the following policies: Router, QoS, Optimization, NAT, Security, and ACLs.
H
M DSCP P
· DSCP markings specify end-to-end QoS policies throughout a network.
· The default values for LAN QoS and WAN QoS are trust-lan.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
A DSCP M
O
(T
)T
· The appliance encapsulates optimized tra ic. This adds an IP outer header to packets for travel across the WAN. This outer header contains the WAN QoS DSCP marking.
· LAN QoS The DSCP marking applied to the IP header before encapsulation.
· WAN QoS The DSCP marking in the encapsulating outer IP header. The remote appliance removes the outer IP header.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
A DSCP M
P-
T
· The appliance applies the QoS Policy's DSCP markings to all pass-through flows--shaped and unshaped.
· Pass-through tra ic does not receive an additional header, so it is handled di erently:
The Optimization Policy's LAN QoS Set Action is ignored.
The specified WAN QoS marking replaces the packet's existing LAN QoS DSCP marking.
When the packet reaches the remote appliance, it retains the modified QoS setting as it travels to its destination.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
Optimization Policies Template
Optimization templates apply Optimization policies to appliances.
January ,
P
· With this template, you can create rules with a priority from
. When the template is
applied to an appliance, Orchestrator will delete all rules having a priority in that range before
applying its policies.
· If you access an appliance directly, you can create rules with higher priority than Orchestrator
rules ( ) and rules with lower priority (
and
).
NOTE: The priority range from
to
is reserved for Orchestrator.
· When adding a rule, the priority is incremented by ten from the previous rule. The priority can be changed, but this default behavior helps to ensure you can insert new rules without having to change subsequent priorities.
MC
· These are universal across all policy maps--Route, QoS, Optimization, NAT (Network Address Translation), and Security.
· If you expect to use the same match criteria in di erent maps, you can create an ACL (Access Control List), which is a named, reusable set of rules. For e iciency, create them in Configuration > Templates & Policies > ACLs > Access Lists, and apply them across appliances.
· The available parameters are Application, Address Map (for sorting by country, IP address owner, or SaaS application), Domain, Geo Location, Interface, Protocol, DSCP, IP/Subnet, Port, and Tra ic Behavior.
· To specify di erent criteria for inbound versus outbound tra ic, select the Source:Dest check box.
S
D
· An IP address can specify a subnet; for example, . . . / (IPv ) or fe :: : :fed : ba / (IPv ).
· To allow any IP address, use . . . / (IPv ) or ::/ (IPv ). · Ports are available only for the protocols tcp, udp, and tcp/udp. · To allow any port, use .
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
W
-
PM
· When using a range or a wildcard, the IPv address must be specified in the -octet format, separated by the dot notation. For example, A.B.C.D.
· Range is specified using a dash. For example, - .
· Wildcard is specified as an asterisk (____*).
· Range and Wildcard can both be used in the same address, but an octet can only contain one or the other. For example, . - .*. - .
· A wildcard can only be used to define an entire octet. For example, . *.*. - is not supported. The correct way to specify this range is . - .*. - .
· The same rules apply to IPv addressing.
· CIDR notation and (Range or Wildcard) are mutually exclusive in the same address. For example, use either . . . / or . . . - .
· These prefix-matching rules only apply to the following policies: Router, QoS, Optimization, NAT, Security, and ACLs.
SA
F
Set Action Network Memory
IP Header Compression
Description
Addresses limited bandwidth. This technology uses advanced fingerprinting algorithms to examine all incoming and outgoing WAN tra ic. Network Memory localizes information and transmits only modifications between locations.
Maximize Reduction Optimizes for maximum data reduction at the potential cost of slightly lower throughput and/or some increase in latency. It is appropriate for bulk data transfers such as file transfers and FTP, where bandwidth savings are the primary concern.
Minimize Latency Ensures that Network Memory processing adds no latency. This might come at the cost of lower data reduction. It is appropriate for extremely latency-sensitive interactive or transactional tra ic. It is also appropriate when the primary objective is to fully utilize the WAN pipe to increase the LAN-side throughput, as opposed to conserving WAN bandwidth.
Balanced Is the default setting. It dynamically balances latency and data reduction objectives and is the best choice for most tra ic types.
Disabled Turns o Network Memory. Process of compressing excess protocol headers before transmitting them on a link and uncompressing them to their original state at the other end. It is possible to compress the protocol headers due to the redundancy in header fields of the same packet, as well as in consecutive packets of a packet stream.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Set Action Payload Compression TCP Acceleration
Protocol Acceleration
Description
Uses algorithms to identify relatively short byte sequences that are repeated frequently. These are then replaced with shorter segments of code to reduce the size of transmitted data. Simple algorithms can find repeated bytes within a single packet; more sophisticated algorithms can find duplication across packets and even across flows. Uses techniques such as selective acknowledgments, window scaling, and maximum segment size adjustment to mitigate poor performance on high-latency links.
NOTE: Slow LAN alert goes o when the loss has fallen below % of the specified value configured in the TCP Accel Options window.
For more information, see TCP Acceleration Options. Provides explicit configuration for optimizing CIFS, SSL, SRDF, Citrix, and iSCSI protocols. In a network environment, it is possible that not every appliance has the same optimization configurations enabled. Therefore, the site that initiates the flow (the client) determines the state of the protocol-specific optimization.
TCP Acceleration Options
TCP acceleration uses techniques such as selective acknowledgment, window scaling, and message segment size adjustment to compensate for poor performance on high latency links. This feature has a set of advanced options with default values.
CAUTION: Because changing these settings can a ect service, it is recommended that you do not modify these without direction from Support.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Option
Adjust MSS to Tunnel MTU
Description
Limits the TCP MSS (Maximum Segment Size) advertised by the end hosts in the SYN segment to a value derived from the Tunnel MTU (Maximum Transmission Unit). This is TCP MSS = Tunnel MTU Tunnel Packet Overhead.
This feature is enabled by default so that the maximum value of the end host MSS is always coupled to the Tunnel MSS. If the end host MSS is smaller than the tunnel MSS, the end host MSS is used instead.
Auto Reset Flows
A use case for disabling this feature is when the end host uses Jumbo frames.
NOTE: Whether this feature is enabled or not, the default behavior when a tunnel goes Down is to automatically reset the flows.
If enabled, it resets all TCP flows that are not accelerated, but should be (based on policy and on internal criteria like a Tunnel Up event).
The internal criteria can also include:
Resetting all TCP accelerated flows on a Tunnel Down event.
Resetting
TCP acceleration is enabled.
Enable Silver Peak TCP SYN option exchange
SYN packet was not seen (so this flow was either part of WCCP redirection or it already existed when the appliance was inserted in the data path).
Controls whether or not Silver Peak forwards its proprietary TCP SYN option on the LAN side. Enabled by default, this feature detects if there are more than two EdgeConnect appliances in the flow's data path, and optimizes accordingly.
End to End FIN Handling IP Block Listing
Disable this feature if there is a LAN-side firewall or a third-party appliance that would drop a SYN packet when it encounters an unfamiliar TCP option.
This feature helps to fine tune TCP behavior during a connection's graceful shutdown event. When this feature is ON (Default), TCP on the local appliance synchronizes this graceful shutdown of the local LAN side with the LAN side of the remote appliance. When this feature is OFF (Default TCP), no such synchronization happens and the two LAN segments at the ends gracefully shut down, independently.
If selected, and if the appliance does not receive a TCP SYN-ACK from the remote end within five seconds, the flow proceeds without acceleration and the destination IP address is blocked for one minute.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Option Keep Alive Timer
LAN Side Window Scale Factor Clamp Per-Flow Bu er Persist timer Timeout Preserve Packet Boundaries
Route Policy Override
Slow LAN Defense
Slow LAN Window Penalty
Description
Allows changing the Keep Alive timer for the TCP connections.
Probe Interval Time interval in seconds between two consecutive Keep Alive probes.
Probe Count Maximum number of Keep Alive probes to send.
First Timeout (Idle) Time interval until the first Keep Alive timeout. This setting allows the appliance to present an artificially lowered Window Scale Factor (WSF) to the end host. This reduces the need for memory in scenarios in which there are many out-of-order packets being received from the LAN side. These out-of-order packets cause much bu er utilization and maintenance. (Max LAN to WAN Bu er and Max WAN to LAN Bu er)
This setting clamps the maximum bu er space that can be allocated to a flow, in each direction. Allows the TCP to terminate connections that are in Persist timeout stage a er the configured number of seconds. Preserves the packet boundaries end-to-end. If this feature is disabled, the appliances in the path can coalesce consecutive packets of a flow to use bandwidth more e iciently.
It is enabled by default so that applications requiring packet boundaries to match do not fail. Tries to override asymmetric route policy settings. It emulates auto-opt behavior by using the same tunnel for the returning SYN+ACK as it did for the original SYN packet.
Disable this feature if the asymmetric route policy setting is necessary to correctly route packets. In this case, you might need to configure flow redirection to ensure optimization of TCP flows. Resets all flows that consume a disproportionate amount of bu er and have a very slow throughput on the LAN side. Owing to a few slower end hosts or a lossy LAN, these flows a ect the performance of all other flows so that no flows see the customary throughput improvement gained through TCP acceleration.
This feature is enabled by default. The number relates indirectly to the amount of time the system waits before resetting such slow flows. This setting (OFF by default) penalizes flows that are slow to send data on the LAN side by artificially reducing their TCP receive window. This causes less data to be received and helps to reach a balance with the data sending rate on the LAN side.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Option WAN Congestion Control
Description Selects the internal Congestion Control parameter:
Optimized This is the default setting. This mode o ers optimized performance in almost all scenarios.
Standard In some unique cases, it might be necessary to downgrade to Standard performance to better interoperate with other flows on the WAN link.
WAN Window Scale
Aggressive Provides aggressive performance and should be used with caution. Recommended mostly for Data Replication scenarios.
This is the WAN-side TCP Window scale factor that is used internally for WAN-side tra ic. This is independent of the WAN-side factor advertised by the end hosts.
SaaS NAT Policies Template
Use this template to add NAT map rules to all the appliances that support Network Address Translation.
W
NAT
Two use cases illustrate the need for NAT:
. Inbound NAT. The appliance automatically creates a source NAT (Network Address Translation) map when retrieving subnet information from the Cloud Portal. This ensures that tra ic destined to SaaS servers has a return path to the appliance from which that tra ic originated.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
. Outbound NAT. The appliance and server are in the cloud, and the server accesses the internet. As in the example below, a Citrix thin client accesses its cloud-based server, and the server accesses the internet.
For deployments in the cloud, best practice is to NAT all tra ic--either inbound (WAN-to-LAN) or outbound (LAN-to-WAN), depending on the direction of initiating request. This avoids black-holing that can result from cloud-specific IP addressing requirements.
· Enabling NAT all applies NAT policies to pass-through tra ic as well as optimized tra ic, ensuring that black-holing does not occur. NAT all on outbound only applies pass-through tra ic.
· If Fallback is enabled, the appliance moves to the next IP (if available) when ports are exhausted on the current NAT IP.
In general, when applying NAT policies, configure separate WAN and LAN interfaces to ensure that NAT works properly. You can do this by deploying the appliance in Router mode in-path with two (or four) interfaces.
A
S
The appliance can perform source network address translation (Source NAT or SNAT) on inbound or outbound tra ic.
There are two types of NAT policies:
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· Dynamic Created automatically by the system for inbound NAT when the SaaS Optimization feature is enabled and SaaS service(s) are selected for optimization. The appliance polls the Cloud Intelligence Service for a directory of SaaS services, and NAT policies are created for each of the subnets associated with selected SaaS service(s), ensuring that tra ic destined for servers in use by those SaaS services has a return path to the appliance.
· Manual Created by the administrator for specific IP addresses / ranges or subnets. When
assigning priority numbers to individual policies within a NAT map, first view dynamic policies
to ensure that the manual numbering scheme does not interfere with dynamic policy numbering
(that is, the manually assigned priority numbers cannot be in the range: - ). The default
(no-NAT) policy is numbered
.
The NAT policy map has the following criteria and Set Actions:
MC
· These are universal across all policy maps--Route, QoS, Optimization, NAT (Network Address Translation), and Security.
· If you expect to use the same match criteria in di erent maps, you can create an ACL (Access Control List), which is a named, reusable set of rules. For e iciency, create them in Configuration > Templates & Policies > ACLs > Access Lists, and apply them across appliances.
· The available parameters are Application, Address Map (for sorting by country, IP address owner, or SaaS application), Domain, Geo Location, Interface, Protocol, DSCP, IP/Subnet, Port, and Tra ic Behavior.
· To specify di erent criteria for inbound versus outbound tra ic, select the Source:Dest check box.
S
D
· An IP address can specify a subnet; for example, . . . / (IPv ) or fe :: : :fed : ba / (IPv ).
· To allow any IP address, use . . . / (IPv ) or ::/ (IPv ). · Ports are available only for the protocols tcp, udp, and tcp/udp. · To allow any port, use .
W
-
PM
· When using a range or a wildcard, the IPv address must be specified in the -octet format, separated by the dot notation. For example, A.B.C.D.
· Range is specified using a dash. For example, - .
· Wildcard is specified as an asterisk (____*).
· Range and Wildcard can both be used in the same address, but an octet can only contain one or the other. For example, . - .*. - .
· A wildcard can only be used to define an entire octet. For example, . *.*. - is not supported. The correct way to specify this range is . - .*. - .
· The same rules apply to IPv addressing.
· CIDR notation and (Range or Wildcard) are mutually exclusive in the same address. For example, use either . . . / or . . . - .
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· These prefix-matching rules only apply to the following policies: Router, QoS, Optimization, NAT, Security, and ACLs.
SA NAT Type
Option
no-nat source-nat
Description
Is the default. No IP addresses are changed. Is the default. No IP addresses are changed.
NAT Direction
Option
inbound outbound none
Description
NAT is on the LAN interface. NAT is on the WAN interface. Only option if the NAT type is no-nat.
NAT IP Option auto tunnel [IP address]
Description
Select if you want to NAT all tra ic. The appliance then picks the first available NAT IP/Port. Select if you want to NAT tunnel tra ic only. Applicable only for inbound NAT, as outbound does not support NAT on tunnel tra ic. Select if you want to make NAT use this IP address during address translation.
For Fallback, if the IP address is full, the appliance uses the next available IP address. When you select a specific IP, ensure that the routing is in place for NAT-ted return tra ic.
M /R At the top of the page, choose Merge to use the values in the template, but keep any values set on the appliance as is (producing a mix of template and appliance rules), -ORReplace (recommended) to replace all values with those in the template.
Threshold Crossing Alerts Template
Threshold Crossing Alerts (TCAs) are preemptive, user-configurable alarms that are triggered when the specific thresholds are crossed.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
They alarm on both rising and falling threshold crossing events (that is, floor and ceiling levels). For both levels, one value raises the alarm while another value clears it.
ON D · Appliance Capacity Triggers when an appliance reaches % of its total flow capacity. It is not configurable and can be cleared only by an operator.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· File-system utilization Percent of non-Network Memory disk space filled by the appliance. This TCA cannot be disabled.
· Tunnel latency Measured in milliseconds, the maximum latency of a one-second sample within a -second span.
OFF D
· LAN-side receive throughput Based on a one-minute average, the LAN-side receive TOTAL for all interfaces.
· WAN-side transmit throughput Based on a one-minute average, the WAN-side transmit TOTAL for all interfaces.
· TCAs based on an end-of-minute count:
Total number of flows Total number of optimized flows
· TCAs based on a one-minute average:
Tunnel loss post-FEC Tunnel loss post-FEC Tunnel OOP post-POC Tunnel OOP post-POC Tunnel reduction Tunnel utilization (based on percent of configured maximum [system] bandwidth)
TCA M
Times to Trigger A value of triggers an alarm on the first threshold crossing instance. The default sampling granularity (or rate or interval) is one minute. This table lists the metrics of each type of threshold crossing alert: Metrics for Threshold Crossing Alerts
TCA Name
Appliance Level WAN-side transmit throughput LAN-side receive throughput Total number of optimized flows Total number of flows File-system-utilization
Tunnel Level Tunnel latency
Unit
kbps kbps flows flows % (nonNetwork Memory)
msec
Metric
Minute averageWANside transmit TOTAL for all interfaces Minute averageLANside receive TOTAL for all interfaces End of minute count
End of minute count End of minute count
Second-sampled maximum latency during the minute
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
TCA Name
Tunnel loss pre-FEC Tunnel loss post-FEC Tunnel OOP pre-POC Tunnel OOP post-POC Tunnel utilization
Tunnel reduction
Unit
/ th % / th % / th % / th % % of configured bandwidth %
Metric
Minute average Minute average Minute average Minute average Minute average
Minute average
January ,
SaaS Optimization Template
Use this template to select the SaaS applications/services you want to optimize. To use this template, your EdgeConnect appliance must be registered with an Account Name and Account Key for the SaaS optimization feature.
SaaS optimization requires three things to work in tandem: SSL (Secure Socket Layer), subnet sharing, and Source NAT (Network Address Translation). Enable SaaS optimization enables the appliance to contact the Cloud Intelligence Service and download information about SaaS services.
· If Advertise is __*selected__* for a service (for example, SFDC), the appliance will: Ping active SaaS subnets to determine RTT/metric
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
* Add subnet sharing entries locally for subnets within RTT threshold * Advertise subnets and their metric (within threshold) via subnet sharing to client-side
appliances Upon seeing an SFDC flow, generate a substitute certificate for an SFDC SSL domain (one
substitute certificate per domain) Auto-generate dynamic NAT rules for SFDC (but not for unchecked services)
· When Optimize is __*selected__* for a service (for example, SFDC), the appliance will:
Ping active SFDC subnets to determine the RTT (metric) Does not advertise metric via subnet sharing (unless Advertise is also selected) Receives subnet sharing metric (RTT) from associated appliances Compares its own RTT (local metric) with advertised metric
* If its own RTT is lower, then the packet is sent pass-through (direct to the SaaS server). * If an advertised RTT it lower, then the packet is tunnelized. Generate a substitute certificate for an SFDC SSL domain (one sub cert per domain) No NAT rules created
· When Optimize is __*not selected__* for a service (for example, SFDC), the appliance:
Receives subnet sharing advertisements for SFDC but does not use them Does no RTT calc pinging Does not participate in SSL Creates no NAT rules Sends all SFDC tra ic as pass-through
The RTT Calculation Interval specifies how frequently Orchestrator recalculates the Round Trip Time for the enabled Cloud applications. The RTT Ping Interface specifies which interface to use to ping the enabled SaaS subnets for Round Trip Times. The default interface is wan .
TIPS
· Initially, you might want to set a higher RTT Threshold value so that you can see a broader scope of reachable data centers/servers for any given SaaS application/service.
· If the Monitoring page shows no results at ms, you might want to reposition your SaaS gateway (advertising appliance) closer to the service.
Security Policies Template
Use this page to set up security policies, also known as __*zone-based firewalls__*. CAUTION: If segmentation is enabled, do not use the Security Policies Template. Instead, configure Security Policies from the Routing Segmentation (VRF) tab.
· Zones are created on the Orchestrator and applied to an Interface.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· By default, tra ic is allowed between interfaces labeled with the same zone. Any tra ic between interfaces with di erent zones is dropped. Users can create exception rules (Security Policies) to allow tra ic between interfaces with di erent zones.
· When you create an interface, it is assigned Default zone.
· If you create a new zone and assign that to an interface, all tra ic between that interface and rest of the interfaces (which are still in the Default zone) are dropped. This implies that zone creation and assignment to interfaces should be performed during a planned network maintenance.
· You can also assign a zone label to an Overlay. On a new system, all overlays are assigned the Default zone.
· Tra ic between an Interface and an Overlay follows the same rules as tra ic between Interfaces or two Overlays; tra ic is allowed between zones with the same label and any tra ic between di erent zones is dropped. Users can create Security Policies to allow tra ic between di erent zones.
I
DL
Implicit Drop Logging enables you to configure implicit zone-based firewall drop logging levels. Implicit zone-based firewall drop is for inter-zone tra ic by default. For example, if all the zone_x to zone_y tra ic is the default Deny All (all the red cells from matrix), the tra ic will be dropped by the zone-based firewall engine.
Select one of the following levels for the Implicit Drop Logging from the list: None, Emergency, Alert, Critical, Error, Warning, Notice, Info, or Debug.
NOTE: The default logging level is Alert.
T
Complete the following steps to create a Security Policies Template:
. Create zone names in Configuration > Overlays & Security > Security > Firewall Zones. . Create security policies to define exceptions.
To edit or add a rule, select the desired square in the matrix, and when the Edit Rules pop-up appears, make the desired changes. . Select the edit icon in the Match Criteria column and the Match Criteria pop-up appears. Make the desired changes. . You can select More Options to customize your rules. Select the check box next to the specific match criteria and select your desired changes from the list. . Click Save.
W
-
PM
· When using a range or a wildcard, the IPv address must be specified in the -octet format, separated by the dot notation. For example, A.B.C.D.
· Range is specified using a dash. For example, - .
· Wildcard is specified as an asterisk (____*).
· Range and Wildcard can both be used in the same address, but an octet can only contain one or the other. For example, . - .*. - .
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· A wildcard can only be used to define an entire octet. For example, . *.*. - is not supported. The correct way to specify this range is . - .*. - .
· The same rules apply to IPv addressing.
· CIDR notation and (Range or Wildcard) are mutually exclusive in the same address. For example, use either . . . / or . . . - .
· These prefix-matching rules only apply to the following policies: Router, QoS, Optimization, NAT, Security, and ACLs.
DNS Proxy Policies
Configuration > Templates & Policies > Templates If you select ON, complete the following steps to configure and define your DNS Proxy policies. NOTE: This feature is configurable only if you have loopback interfaces configured.
. Choose whether you want the DNS Proxy enabled by selecting ON or OFF. . Select the name of the loopback interface or LAN-side label associated with your DNS proxy. . Enter the IP addresses for Server A in the Server A Addresses field. . Choose whether you want Caching to be ON or OFF. If selected, the domain name to the IP
address mapping is cached. By default, caching is ON. . Enter the domain names of the Server A for the above IP addresses. . Enter Server B IP addresses in the Server B Addresses field. Server B will be used if there are
no matches to the Server A domains.
NOTE: You can Clear DNS Cache. This will erase the domain name to the IP address mapping you had cached for both Server A and B.
Shaper Template
The Shaper template is a simplified way of globally configuring QoS (Quality of Service) on the appliances:
· The Shaper shapes tra ic by allocating bandwidth as a percentage of the system bandwidth.
· The Shaper's parameters are organized into ten tra ic classes. Four tra ic classes are preconfigured and named real-time, interactive, default, and best e ort.
· The system applies these QoS settings globally a er compressing (deduplicating) all the outbound tunnelized and pass-throughshaped tra ic, shaping it as it exits to the WAN.
· Applying the template to an appliance updates its system-level wan Shaper. If the appliance has any added, interface-specific Shapers, they are preserved.
· For minimum and maximum bandwidth, you can configure tra ic class values as a percentage of total available system bandwidth and as an absolute value. The appliance always provides the larger of the minimum values and limits bandwidth to the lower of the maximum values.
· You can rename or edit any tra ic class.
· To view any applied configurations, access the Configuration Templates & Policies > Shaping > Shaper page.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
D
RC
Tunnel Max Bandwidth is the maximum rate at which an appliance can transmit.
Auto BW negotiates the link between a pair of appliances. In this example, the appliances negotiate each link down to the lower value, Mbps.
However, if A and B transmit at the same time, Hub could easily be overrun.
If Hub experiences congestion:
· Select Enable Dynamic Rate Control. Allows Hub to regulate the tunnel tra ic by lowering each remote appliance's Tunnel Max Bandwidth. The smallest possible value is that appliance's Tunnel Min(imum) Bandwidth.
· Inbound BW Limit caps how much bandwidth the appliance can receive.
Field Add Interface Shaper
Description
Adds an interface-specific shaper for outbound or inbound tra ic.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Enable Interface Shaper
Description Enables a separate shaper for a specific WAN interface.
For WAN optimization, the interface shaper can be used, but it is not recommended.
Excess Weighting
Interface Shaper Max Bandwidth % Max Bandwidth Absolute (kbps)
Max Wait Time Min Bandwidth %
For SD-WAN, it should never be used because overlay tra ic is not directed to an interface shaper; tra ic is always shaped by the default WAN shaper.
If there is bandwidth le over a er satisfying the minimum bandwidth percentages, the excess is distributed among the tra ic classes in proportion to the weightings specified in the Excess Weighting column. Values range from to , .
Interface that is being shaped.
This limits the maximum bandwidth that a tra ic class can use to a percentage of total available system bandwidth.
This limits the maximum bandwidth that a tra ic class can use to an absolute value (kbps). You can specify a maximum absolute value to cap the bandwidth for downloads and streaming.
Any packets waiting longer than the specified Max Wait Time are dropped.
Refers to the percentage of bandwidth guaranteed to each tra ic class, allocated by priority. However, if the sum of the percentages is greater than %, lower-priority tra ic classes might not receive their guaranteed bandwidth if it is all consumed by higher-priority tra ic.
Min Bandwidth Absolute (kbps) Priority Rate Limit (kbps) Recalc on IF State Changes
Tra ic Name
Max overrides Min if you set Min Bandwidth to a value greater than Max Bandwidth.
This guarantees a specific level of service when total system bandwidth declines. This is useful for maintaining the quality of VoIP, for example.
Determines the order in which to allocate each class' minimum bandwidth - is first, is last.
You can set per-flow rate limit that a tra ic class uses by specifying a number in the Rate Limit column. For no limit, use (zero).
When an interface state changes to UP or DOWN, selecting this recalculates the total bandwidth based on the configured bandwidth of all UP interfaces. For example, when wan goes down, wan bandwidth is removed from the total bandwidth when recalculating.
Name assigned to a tra ic class, either prescriptively or by the user.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Management Services Template
Use this template to globally apply the modifications made to your Management Services if segmentation is enabled or disabled. Any is used as the default Interface for the Source IP address; however, you can change the interface with any interfaces you have previously configured on the Management Services tab. To modify the interface, click Any in the table. For more information, refer to the Management Services tab.
CLI Template
Use this template to enter any sequence of Command Line Interface (CLI) commands. Enter each CLI command on a new line.
Session Management Template
Use this page to configure settings that control access to the appliance web UI.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Auto Logout Max Sessions OpenSSL Cipher List
Web Protocol
Description
Specifies the amount of time in minutes a er which an inactive session will be automatically logged out. The valid range is - . Use to disable automatic logout. Maximum number of active sessions on the appliance. If the maximum number of sessions is reached, users who try to log in to the appliance web UI will receive a message that the browser cannot access the appliance. On non-EdgeConnect appliance models, Orchestrator might not be able to access the appliance. List of cipher suites to enable or disable on the appliance. For details about formatting this string, see this page.
The string can only contain the following characters: a-z, A-Z, - , and +-:.!_@
WARNING: Cipher format and availability are not validated. Ciphers should be thoroughly tested in a lab environment before being applied. When ciphers are applied from a template, an improperly formatted string or unavailable ciphers can cause an appliance crash. Select the web protocol to use for appliance UI sessions. HTTPS is recommended for maximum security.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
Apply Template Groups
Configuration > Templates & Policies > Apply Template Groups Use this tab to add or remove templates from appliances.
January ,
· If multiple template groups are applied to an appliance, the order in which they are applied determines which template is used. Templates applied later (lower on the apply order list) overwrite any conflicting templates applied earlier.
· Drag templates up or down to reorder the list.
· Orchestrator automatically applies any changed templates to the associated appliances.
Configuration > Cloud Services
The options under Configuration > Cloud Services focus on the various cloud services that are offered.
AWS Transit Gateway Network Manager
Configuration > Cloud Services > AWS Network Manager
Orchestrator supports association with Amazon Web Services and their Transit Gateway Network Manager. Orchestrator builds AWS Site-to-Site VPN tunnels, enabling you to securely connect your on-premises network to one or more Transit Gateways (TGWs).
Before you begin configuring AWS Transit Gateway Network Manager in Orchestrator, create an AWS account to authenticate and authorize Orchestrator with your AWS account. Then complete the prerequisite tasks in the following section.
P
AWS T
G
N
M
Make sure you complete the following tasks in AWS console before configuring Orchestrator:
· Navigate to the Identity and Access Management (IAM) under Services to create a user profile with permissions for Orchestrator.
· Navigate to the Virtual Private Cloud (VPC) Dashboard and configure your Transit Gateways for the regions you want.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· Navigate to Network Manager from the VPC Dashboard under Transit Gateways to create a Global Network.
· Associate your Transit Gateways to the Global Network.
Create a User Profile in AWS To create a user profile in AWS, complete the following steps:
. Sign in to AWS and navigate to the Identity and Access Management (IAM) service from the main AWS Management Console (Services > Security, Identity, & Compliance > IAM).
. Click User in the le menu under Access Management. . Click Add User. . Enter a username in the User name field. . Choose the Access Type: Programmatic Access and AWS Management Console Access. . Click Next: Permissions.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
. Set the Permissions for your user on this page. You can do this in one of three ways:
· Adding a user to your group The user will inherit the permissions assigned to the group.
· Copying permissions from an existing user Copy permissions from an existing user in AWS and assign them to the user you want.
· Attaching existing policies directly Attach a file containing the permissions and assign it to the user.
. Assign optional tags for your user. If you choose to add a tag, complete these steps:
. Enter a key This represents the name of your tag.
. Enter a value Enter text that you want the key/tag to represent.
NOTE: Tags enable you to provide additional information about your user or group for tracking and organizational purposes. Up to tags are allowed.
. Select Next: Review. This page displays the review of the profile you just created for your user. The User Details, Permissions Summary, and additional information such as tag, are shown.
. Select Create User. The page should now show the following success message, along with Access Key ID and the Secret Access Key associated with your configured user. Copy and paste the Access Key ID and the Secret Access Key to a secure place for later use. You will need these when adding the AWS account on Orchestrator.
Create Transit Gateways
Next, you must create Transit Gateways (or select existing Transit Gateways you have already created) to associate with your AWS Network Manager, which you create in the steps below. Transit Gateways will terminate the Site-to-Site IPSec tunnels established from the EdgeConnect appliances in your network.
To create a new Transit Gateway, complete the following steps:
. Navigate to the Virtual Private Cloud (VPC) Dashboard (Services > Networking & Content Delivery).
. Click Transit Gateways, under Transit Gateways in the le menu.
. Click Create Transit Gateways.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
. Complete the following fields to create the Transit Gateway.
Field Name Tag Description Amazon side ASN
DNS Support VPN ECMP support
Default Route Table Association
Description
Enter a name that represents your Transit Gateway.
Enter a description to help identify your Transit Gateway. This is the description for the Name Tag.
Autonomous System Number that represents your Transit Gateways in AWS. You can use an existing ASN assigned to your global network or a private ASN. See the range limitations in AWS.
Select this check box if you want to enable Domain Name System support for your VPC within your Transit Gateways.
Select this check box if you want to enable Equal Cost Multi-Path routing support in your Transit Gateways. This allows tra ic with the same source and destination to be sent across the same multiple paths.
Select this check box if you want to automatically associate other Transit Gateways to the route table that this one is using.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Default Route Propagation Auto-accept shared attachments
Description
Select this check box if you want to automatically create other Transit Gateways with this same route table. Select this check box if you want your transit gateways to automatically accept attachments associated with di erent accounts.
. Click Create Transit Gateway. A success message should display along with your Transit Gateway ID.
Create a Network Manager A er you create your Transit Gateway, you must create a Global Network in AWS. A Global Network hosts your specified Transit Gateways. It is managed by the AWS Network Manager.
. Navigate to the VPC Dashboard. . Click Network Manager under Transit Gateways. . Click Create Global Network. . Enter a Name and Description for your Global Network. . Click Create.
O
C
A er completing the AWS prerequisites, navigate to the AWS Network Manager tab in Orchestrator. There are six buttons above the table on this tab that you use to complete the AWS and Orchestrator integration: Subscription, Interface Labels, Network Manager Association, Tunnel Settings, VTI Subnet Pool, and Zone.
Subscription
. To begin, click the Subscription button.
. Enter the Access Key ID and the Secret Access Key that reflect your user account in AWS. This is the Access Key ID and the Secret Access Key you copied earlier in the Create a User Profile in AWS section.
. Click Save a er you finish entering the information in the table below. The AWS Reachability field should reflect Connected.
Field AWS Reachability
Access Key ID Secret Access Key Polling Interval
Description
Connection status of the AWS Network Manager to Orchestrator: Connected or Not Connected. Access Key given to you in AWS to log in to the AWS console. Secret Access Key given to you in AWS to log in to the AWS console. Indicates how o en Orchestrator should check for configuration changes in the AWS transit gateways or Network Manager. The default polling interval is ten minutes.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
. Click Save.
You now should have an established connection with Orchestrator to your AWS account.
Interface Labels The Build Tunnels Using These Interfaces dialog box enables you to select the interfaces to build your tunnels to AWS.
. Click the Interface Labels button. The Build Tunnels Using These Interfaces dialog box opens. . Drag the interface labels you want to apply from the column on the right into the Primary
columns. . Click Save.
Network Manager Association In this dialog box, you can choose which Transit Gateways you want to associate with your EdgeConnect appliances. NOTE: You must first select the EdgeConnect appliances on the Orchestrator appliance tree, and then open the Network Manager Association tab to associate the appliances to your Transit Gateways.
. Select or clear the check box next to the appliance you want to connect to or disconnect from the Network Manager.
. See the following table for field descriptions.
Field Hostname Transit Gateways Present Transit Gateways Changes
Description
Host name of the appliance you want to connect to or disconnect from the Network Manager. Lists the Transit Gateways that are already associated with the EdgeConnect appliances. Displays the EdgeConnect appliances that will be added or removed from the Transit Gateways.
. Click Save. Orchestrator starts to establish the Site-to-Site IPSec tunnels from the EdgeConnect appliances to the selected Transit Gateways.
Tunnel Settings The Tunnel Settings dialog box shows IKE and IPSec parameters used by Orchestrator when building Site-to-Site IPSec tunnels from the EdgeConnect appliances to the Transit Gateways. No changes are necessary for these parameters.
VTI Subnet Pool In this dialog box, set the Subnet IP address and the mask for the AWS subnet pool. Enter the subnet IP address and the mask ID in the designated fields.
· Any updates to the subnet pool configuration results in service disruption. · You can have duplicated ASNs if you have a site with the same name.
NOTE: This is an AWS-specific subnet pool. Therefore, every subnet IP address must start with . to be included in this pool.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Zone
You can apply configured segments to your VTI interfaces associated for AWS. Click the Zone icon and select the zone you want to apply from the drop-down list.
Verification
You can verify the stability and connectivity of your tunnels to the AWS Network Manager using the Connection Status column on the AWS Network Manager tab. This column shows the BGP Peer status. You can find additional details on the Tunnels, VTI, and BGP tabs.
Also, you can verify the AWS resources that Orchestrator created on the VPC Dashboard. To view the resources on the VPC dashboard, navigate back to the Virtual Private Network section in AWS and select Customer Gateways and Site-to-Site VPN Connections. On these tabs, you can confirm that the IPSec tunnels you created in Orchestrator are functioning correctly.
The tunnels should be in the "available" state.
The IPSec tunnel statuses should be "UP".
Route Tables and Static Routes A er the tunnels and the BGP sessions are established, the TGW route table shows the routes learned from the EdgeConnect devices. To create a route table for your transit gateways, navigate to the VPC Dashboard in AWS and click Transit Gateway Route Tables under Transit Gateways. To create a static route, select the transit gateway from the Route Table and navigate to the Routes tab.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Complete the following fields, and then click Create Static Route.
Field
CIDR Blackhole Choose attachment
Description
Specified range of IPv addresses for your VPC. Enable if you want your matched tra ic to be dropped. Choose the attachment for your static route.
Peering
To begin sending tra ic from the spoke VPCs where your AWS workloads are running, you must peer the VPCs with the Transit Gateways. To peer your configured Transit Gateways, navigate back to your VPC dashboard in AWS and click Transit Gateway Attachments under Transit Gateways. Complete the following steps.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
. Select the check box next to the available transit gateways you want to peer. . Click Create Transit Gateway Attachment. . Choose the Transit Gateway ID from the drop-down menu. . For Attachment Type, select Peering Connection. . For Attachment Name Tag, enter text for identification purposes. . For Account, select the check box for My Account. . For Region, choose the destination region you want the BGP peering to connect with.
Microso Azure Virtual WAN
Configuration > Cloud Services > Microso Azure Virtual WAN Microso Azure optimizes routing, automates large scale connectivity from various branches to Azure workloads, and provides unified network and policy management within Orchestrator. Use Azure to deploy to a single WAN circuit or for branch to branch connectivity by configuring virtual WANs to associated hubs.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Before you begin Microso Azure Virtual WAN configuration in Orchestrator, you need to use the Azure Virtual WAN portal to authenticate and authorize Orchestrator in Azure. You need to create the service principal, which focuses on single-tenant application to run within only one organization. Click here to get started.
M
AP
. Create an application in Azure and note the following Subscription details from the Azure Active Directory:
· Subscription ID · Tenant (Directory) ID · Application (Client) ID · Client Secret Key
. Create a storage account in Azure and get the following:
· Storage Account Name · Storage Access Key
. Create a resource group. . Create Azure Virtual WANs with hubs from your resource groups.
O
P
Complete the following tasks in Orchestrator:
. Configure a VTI IP Pool.
· Enter a valid IPv Subnet.
NOTE: This is a unique address across the network. VTI interfaces created for Azure integration will be selected from this pool.
__**INFO____ Azure VTI interface zone is set to WAN interface zone. Any change in deployment for the WAN interface zone is applied to Azure VTI as well.
WARNING: Any change in the VTI pool a er it is configured is networking a ecting. This operation should be performed during a maintenance window as it can take several hours for some Cloud services to complete.
. Configure BGP ASN Global Pool.
· Enter the start and end ranges for ASNs.
· Add any reserved ASNs to exclude from being applied to appliances. NOTE: If not previously enabled, Orchestrator enables BGP.
O
C
When are you finished with the Azure and Orchestrator prerequisites, navigate to the Microso Azure Virtual WAN tab in Orchestrator. There are five buttons at the top of the table that are used to complete the Azure and Orchestrator integration: Subscription, Interface Labels, Virtual Wan Association, Tunnel Settings, and Zone.
To begin, click the Subscription icon.
Subscription
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
. Enter the information in the Subscription fields that reflect your Azure portal account. . Click Save a er you have finished entering the information in the table below. The Azure field
should reflect Connected.
The following table represents the values in the Subscription window from the Azure portal.
Field
Azure Reachability Subscription ID Tenant ID Client ID Client Secret Key Storage Account Name Storage Account Key Storage URL Configuration Polling Interval
Description
Connection status of your account with Azure. ID of your subscription. Name of your Azure AD tenant. Client ID of your Azure portal. Secret key of your Azure application. Name of your storage account. Storage account key. Storage account URL.* Indicates hows o en Orchestrator should check for configuration changes in Azure. The default polling interval is ten minutes.
*Storage URL The Storage URL is present on the Storage Accounts tab in your Azure portal. Complete the following steps to obtain your storage account URL.
. A er your storage account is created in Azure, create a blob container. . Get the blob container URL. . Su ix the URL with a slash and add a file name in the Storage URL field.
NOTE: Append the URL with a slash for the file name. Do not end the URL with a slash.
Interface Labels Select the order in which you want your interface labels to be used.
. Click the Interface Labels button. The Build Tunnels Using These Interfaces displays. . Drag the Interface labels you want to use into the Preferred Interface Label Order column. . Click Save.
Virtual WAN Association Each appliance is associated with one virtual WAN. Use the Virtual Wan Association button to add or remove specific sites to your virtual WANs.
. Click the Virtual Wan Association button. . Select an appliance from the tree in the le menu. . Select the check box to Add or Remove the appliance to your virtual WAN in Azure.
Tunnel Settings
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
The Tunnel Settings button opens the Tunnel Settings dialog box, which enables you to define the tunnels associated with Azure and Orchestrator. It is recommended that you use the default tunnel settings for General, IKE, and IPSec; however, you can modify any field. The tunnel settings are set using the default VPN configuration parameters received from virtual WAN APIs located in your Azure portal account.
In your Azure Portal Account, navigate to the Azure Configuration table. This table displays the VPN site created for Orchestrator appliances associated to Azure virtual WANs. Additionally, manually associate sites to your hubs in Azure.
. Navigate to Azure Virtual WAN.
. Select Azure VPN site.
. Select New Hub Association.
Zone
You can apply configured segments to your VTI interfaces associated for Azure. Click the Zone button and select the zone from the drop-down you want to apply.
V
The Tunnel page displays that Azure and Orchestrator have an established connection with Azure by displaying a tunnel status of up - active.
For more information about Azure configuration, visit the following link: https://docs.microso .com/enus/azure/virtual-wan/virtual-wan-site-to-site-portal.
Check Point CloudGuard Connect
Configuration > Cloud Services > Check Point CloudGuard Connect Check Point CloudGuard Connect provides network and cloud security with policies defined within Orchestrator overlays. The Check Point CloudGuard Connect tab has the following fields.
Field
Subscription Interface Labels Tunnel Settings LAN Subnets
Description
Name of the appliance you want to connect with Check Point. Name of the interfaces you want to connect with Check Point. Defines the tunnels associated with Orchestrator and Check Point. Subnets configured on the LAN side associated with Check Point.
Before you begin to configure Check Point CloudGuard Connect, you need to create a Check Point account. Visit the following link to make an account: https://portal.checkpoint.com. A er you create an account, you will need to create an API Key.
S
. A er you complete the steps in the above URL to create your Check Point account, navigate to the Check Point CloudGuard Connect tab in Orchestrator.
. Select the Subscription tab to get started with Check Point.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
. Enter your Client ID and the Secret Key you received when you created your Check Point account.
. Select Save a er you finish entering the information in the table below. The Connection Status should appear at the top of the Subscription window.
I
L
. Select the Interface Labels tab. The Build Tunnels Using These Interfaces opens. . Drag the interface labels you want to use into the Preferred Interface Label Order column. . Select Save.
T
S
The Tunnel Settings tab helps you define the tunnels associated with Check Point and EdgeConnect. Use the Check Point default values for the General, IKE, and IPSec tunnel settings.
NOTE: You can also configure specific General, IKE, and IPSec tunnel settings. The settings are automatically generated; however, you can make modifications if you choose to do so. To go back to the default settings, select Use Default on any of the tunnel windows.
LAN S
You can select the LAN subnets for a given appliance to associate with your Check Point integration. By default, LAN subnets are configured on the Deployment tab. You can also add, import a CSV file, or export a CSV file of the configured subnets.
E
C PCG C
When you have completed configuration, you need to enable the Check Point service.
. Navigate to the Business Intent Overlay tab in Orchestrator. . Go to the Breakout Tra ic to Internet & Cloud Services. . Select the overlay that breaks out tra ic to Check Point. . Drag Check Point CloudGuard Connect from the Available Policies column to the Preferred
Policy Order column.
V
Navigate to the Check Point CloudGuard Connect tab in Orchestrator to verify successful deployment under Site Status. You can also verify successful deployment on the Tunnels tab.
Import and Export Subnets
Import enables you to import a Comma Separated Values (CSV) file into a pair of appliances used in Orchestrator. Before you import, you must remove the header row and save the files on your computer. Complete the following steps to begin your import.
. Select Choose File. . Locate the file you want to import on your desktop. . Select Open.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
. Select Import. Orchestrator generates the CSV file. The following table represents the fields in the exported CSV file.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Appliance <Appliance Hostname>
Configured Subnets <Configured subnets IP addresses>
NOTE: The titles and double quotes should be removed from your file before importing. CAUTION: This import overwrites previously configured imports.
Microso O ice
Configuration > Cloud Services > Microso O ice
Ensure that your overlays have the following options configured to preserve the Works with O ice default applications. The table below indicates the default overlays, applications, and preferred
policy order configured on the Business Intent Overlays tab within Orchestrator. The overlay name indicated in the table below is the default that ships with Orchestrator. This can be modified with user configuration.
NOTE: Skype for Business, SharePoint Online, and O ice Exchange must break out locally.
Overlay Application
Preferred Policy Order (Breakout Tra ic to Internet & Cloud Services)
What It Matches
RealTime
Skype for Business
CriticalApps SharePoint Online, O ice Exchange
Default For everything
Any policy order except "Drop"
Microso O ice Optimize and Allow categories for the respective applications
Microso O ice Optimize and Allow categories for the respective applications Matches Microso O ice Default categories
O ice Common applications
NOTE: Do not specify other individual O ice applications in this group or overlay.
For more information about applications that work with O ice , go to Microso Partners.
& Security for
Zscaler Internet Access
Configuration > Cloud Services > Zscaler Internet Access
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Zscaler Internet Access (ZIA) is a cloud security service. EdgeConnect tra ic can be service chained to Zscaler for additional security inspection. Orchestrator supports IPSec and GRE tunnel modes for Zscaler.
NOTE: GRE tunnels are not formed across an EdgeHA link.
NOTE: Zscaler's term for ZEN is now Service Edge.
The following table describes the fields on the Zscaler Internet Access tab.
Field Appliance Interface Label Mode Gateway Options
Bandwidth Zscaler Deployment Status Zscaler Service Edges
Connection Status
Description
Name of the appliance to connect to Zscaler.
Interface label for the interfaces you want to connect to Zscaler.
Tunnel mode (IPSec or GRE) for Zscaler. The default mode is IPSec.
A feature that enables you to configure sub-locations and various rules for your sub-locations. Gateway Options is an optional add-on.
Upload and download bandwidth speeds (in Mbps) to and from Zscaler.
Status of the Zscaler deployment (Creating, Pending, or Deployed). Deployed indicates successful deployment.
These are the Zscaler endpoints to which the tunnels connect. This field is populated with discovered Public Service Edges based on the appliance's geographical location.
Status of the Zscaler connection based on tunnel and IP SLA statuses.
C
Z
Before you configure Zscaler, you must create a Zscaler account and ensure that you have an established connection with Zscaler.
NOTE: This section represents the automated configuration of IPSec, IKE, and GRE tunnels from EdgeConnect to the Zscaler cloud. To manually configure the tunnels with the Zscaler cloud, refer to the EdgeConnect and Zscaler IPSec Integration Guide and the EdgeConnect and Zscaler GRE Integration Guide.
S
. Go to https://help.zscaler.com/zia/sd-wan-api-integration and follow the steps to configure your Zscaler account.
. A er configuring your Zscaler account, navigate to the Zscaler Internet Access tab in Orchestrator (Configuration > Cloud Services > Zscaler Internet Access).
. Click the Subscription button. The Subscription dialog box opens.
. Enter the appropriate information to reflect your Zscaler account.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
The following table describes the fields.
Field Zscaler Zscaler Cloud Partner Username Partner Password Partner Key Domain Subscription Cloud ID
Configuration Polling Interval
Description
Indicates whether you are connected to your Zscaler account.
Zscaler cloud URL. For example, admin.zscalerthree.net.
Partner administrator username you created when configuring Zscaler. Partner administrator password you created when configuring Zscaler. Partner key you created when configuring your Zscaler account. Select Silver Peak from the list of partners. Domain provisioned in Zscaler for your enterprise.
(Optional) A subcloud can be a subset of ZIA Public Service Edges, a subset of Private Service Edges, a subset of PZENs, or a subset of both ZIA Public Service Edges and Private Service Edges or PZENs. If you subscribe to any of these services, you must specify in this field the name of your subcloud (for example, Americas) to obtain a full list of Service Edges for your organization.
WARNING: Because this is service a ecting, configure this ID during a maintenance window only. This will cause previously built tunnels to be deleted and rebuilt. Indicates how o en Orchestrator should check for configuration changes in Zscaler. The default polling interval is ten minutes.
. Click Save. The Zscaler field should indicate Connected.
I
L
Select Primary labels you want your tra ic to go to. Backup labels will be used as the second option if the primary is unreachable.
. Click the Interface Labels button on the Zscaler Internet Access tab. The Build Tunnels Using These Interfaces dialog box opens.
. Drag the Interface labels you want to use into the Primary and Backup areas in the dialog box. . Click Save.
WARNING: This is service a ecting. Any changes to the interface selection can cause previously built tunnels to be deleted and rebuilt.
T
S
The Tunnel Settings button opens the Zscaler Tunnel Setting dialog box, enabling you to define the tunnels associated with Zscaler and EdgeConnect. The Mode field on the General tab allows you to select IPSec or GRE as the tunnel protocol for the specified WAN interface label. Use Zscaler defaults for tunnel settings defined by the system.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
NOTE: For IPSec mode, you can configure General, IKE, and IPSec tunnel settings. For GRE mode, you can configure General tunnel settings. Settings are automatically generated, but you can change them if you want to.
S
EO
You can override the automatically selected Service Edge pair for specific sites. You have the option to add this exception to one or more sites within your network.
NOTE: Orchestrator does not support Service Edge Override for GRE tunnels.
. Click the Service Edge Override button on the Zscaler Internet Access tab.
The Service Edge Override dialog box opens.
. Enter the appliance name, the interface label, and the primary and secondary IP addresses. Orchestrator will build tunnels to those Service Edges.
Field
Appliance Interface Label Primary IP Secondary IP
Description
Appliance for which to override Zscaler Service Edges. Interface label from which tunnels are built. IP address of the primary Zscaler Service Edge. IP address of the secondary Zscaler Service Edge.
IP SLA
Configure IP SLA for Zscaler tunnels. This configuration ensures tunnel connectivity and internet availability between Zscaler and Orchestrator. If the tunnel cannot reach Zscaler, the tunnel is considered DOWN.
. Click the IP SLA button on the Zscaler Internet Access tab. The Zscaler IP SLA Configuration dialog box opens.
. If all fields are dimmed, click Enable IP SLA rule orchestration. . Complete the following fields.
Field Monitor Address
Source Interface
Description
Ping or HTTP/HTTPS. URL to the Zscaler endpoint that the IP SLA subsystem will ping. You can configure up to three addresses. Select an orchestrated loopback label.
. Accept the default values for the remaining fields and click Save. Orchestrator builds the tunnels.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
C
/T
You can use the Zscaler Country / Timezone dialog box to configure standard ISO Country Codes to Zscaler Country Enums and standard Time Zones to Zscaler Time Zone Enums. Click the Country / Timezone button on the Zscaler Internet Access tab to open the dialog box. Make changes, and then click Save.
G
O
You can configure gateway options and rules for Zscaler sub-locations. Orchestrator uses location and sub-locations to better define a branch site in the Zscaler cloud. Sub-locations are LAN-side segments within each branch. They can be identified by LAN interfaces, zones, or a collection of LAN subnets.
Enable Gateway Options To enable gateway options:
. Click the Gateway Options button on the Zscaler Internet Access tab. The Zscaler Gateway Options dialog box opens.
. Click Add. The Location / Sub-Location Match Criteria dialog box opens.
. Enter a name for the new rule in the Rule Name field. WARNING: If two rules have the same sub-location name or IP address, Orchestrator picks the first match and considers the order of the rules.
. Specify a location by entering an appliance name, region, or group in the Appliances field. . Enter the WAN label in the Location Label field. . If you select the Sub-Location check box:
. Enter the sub-location name in the Name field. . Enter the subnet address (LAN label, Firewall Zone, or subnet) in the Internal IPs field.
. Click Save.
NOTE: Sub-locations can be applied to all WAN links selected in the Build Tunnels Using These Interfaces dialog box (accessed by clicking the Interface Label button on the Zscaaler Internet Access tab).
If you select the Show sub-locations check box on the Zscaler Internet Access tab, the sub-locations configured in Gateway Options appear in the Zscaler table.
Configure Bandwidth Control
You can set up bandwidth controls for your Zscaler sub-locations configured in Gateway Options. Select from bandwidth control options that use fixed amounts of bandwidth, inherit bandwidth values from parent locations, or use percentages of deployment bandwidth.
. Click the Gateway Options button on the Zscaler Internet Access tab. The Zscaler Gateway Options dialog box opens.
. In the table, locate the rule name row for which you want to configure bandwidth control, and then click the linked text in the Gateway Options column. The Zscaler Gateway Options & Bandwidth Control dialog box opens.
. Select one of the following options from the Bandwidth Control drop-down list:
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Bandwidth Control Option
OFF Fixed bandwidth
Inherit (parent) location bandwidth Use deployment WAN label bandwidth
Description
Do not use bandwidth control. This is the default setting.
Use fixed amounts of bandwidth for the sub-location. Specify amounts for download and upload in Mbps. Inherit the parent location's bandwidth values.
Use percentages of the deployment WAN label's bandwidth. Specify amounts for download and upload as percentages. Each specified percentage cannot exceed %. Orchestrator will automatically translate percentages into Mbps and send them to Zscaler. Sub-locations will use these values as percentages of deployment bandwidth.
. Click Save. The Change Gateway Options dialog box opens. WARNING: Changing Gateway Options is service a ecting. Make changes during a maintenance window.
. Click Change Gateway Options. Your changes are applied to Orchestrator and Zscaler. This process takes time to complete.
Z
A
The final step to configure the integration in Orchestrator is to associate EdgeConnect appliances to Zscaler.
. In the Orchestrator appliance tree, select one or more appliances to associate with Zscaler. . Click the Zscaler Association button on the Zscaler Internet Access tab.
The Zscaler Appliance Association dialog box opens. . In the table, select one or more appliances you want to associate with Zscaler, and then select
the Add check box. Select the Remove check box to remove Zscaler association from selected appliances in the table. . Verify the changes, and then click Save.
PO
When troubleshooting, you can click Pause Orchestration and save to pause orchestration. To restart, click Resume Orchestration.
UZ
B
T
Finally, you need to select the Zscaler service in at least one Business Intent Overlay Breakout Tra ic Policy to steer tra ic to it.
. Navigate to the Business Intent Overlays tab in Orchestrator (Configuration > Overlays & Security > Business Intent Overlays).
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
. Click the overlay that breaks out tra ic to Zscaler. The Overlay Configuration dialog box opens.
. Click the Breakout Tra ic to Internet & Cloud Services tab. . Drag Zscaler Cloud from the Available Policies column to the Preferred Policy Order column.
VZ
D
A er Zscaler Internet Access is configured, deployment will begin automatically. Navigate to the Zscaler Internet Access tab to verify successful deployment. The Zscaler Deployment Status column should have a green status of Deployed, and the Connection status column should have a green status of Up. The Connection Status column indicates the status of the Zscaler connection based on tunnel and IP SLA statuses.
NOTE: Zscaler is deployed and orchestrated for an appliance based on the Zscaler Appliance Association dialog box. Business Intent Overlays (BIOs) are used to configure breakout internet policies to Zscaler. This is used for automatic load distribution and failover.
You can also verify that your Zscaler tunnels have been successfully deployed on the Tunnels tab. The Passthrough Tunnel column should list your Zscaler tunnels, and the Status column should have a green status of up active.
Service Orchestration
Configuration > Cloud Services > Service Orchestration To watch a video of this feature, see How to Integrate with Third-Party Service Providers. Use the Service Orchestration tab to automate the integration of third-party services without an API. Service Orchestration automates the creation and deployment of IPSec tunnels and IP SLA probes and manages the lifecycle of the tunnels and probes. Service Orchestration creates a local tunnel identifier (IKE ID) for each tunnel to the third-party service. A er the tunnels are created, complete the integration on the third-party service's site by replacing the source identity values with the local tunnel identifiers (IKE IDs) that Orchestrator created for each endpoint. NOTE: By default, Service Orchestration provides the framework for Netskope integration. The instructions on this page are specific to Netskope, but you can apply the same general procedure to other third-party services.
P
· You must have loopback interfaces configured to use the Service Orchestration feature. · Service Orchestration supports third-party services that use IPSec IKEv endpoints. · You will need the following information from the third-party service for each endpoint you want
to add:
Endpoint name IP address Probe address
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
R
E
C
Add the remote endpoints for Netskope. You can add one endpoint at a time or add endpoints in bulk by importing the information from a CSV file.
AE
O
T
. Click Remote Endpoint Configuration. The Add Remote Endpoints for Netskope dialog box opens.
. Click +Remote Endpoint. . Complete the following fields. Press the Tab key to navigate to the next field.
Field Name IP Address Interface Label Pre-shared Key
Probe Address
Description
Name of the Netskope endpoint.
IMPORTANT: If an endpoint name is decommissioned or modified, you must update the value in this table. IP address of the Netskope endpoint.
IMPORTANT: If an IP address is decommissioned or modified, you must update the value in this table. The interface labels that can be provisioned for this endpoint. Only labels in this list will be provisioned.
HINT: Click Interface Label Default to reset the Interface Label for every endpoint in the table to the default value of Any. The pre-shared key for the endpoint. To display the pre-shared key, click anywhere in the field. Do one of the following:
Edit this field for each endpoint. This value can be an ASCII string, a hex-encoded string (if it has a x prefix), or a base -encoded string (if it has a s prefix).
Click PSK Default to create and save a pre-shared key. Every endpoint will use the pre-shared key you create. Because tra ic going to these endpoints is encrypted, it will not compromise security to use the same pre-shared key for each endpoint. The Netskope endpoint that the IP SLA subsystem will ping. You can obtain the probe address from the third-party security provider.
IMPORTANT: Orchestrator will prefill the Address field in the IP SLA Settings dialog box with this value. If you delete the value in the Probe Address field in this table, Service Orchestration will ping the value specified in the Address field in the IP SLA Settings for Netskope dialog box.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Backup Remote Endpoint
Description
Enter the Netskope endpoint that you want to use as a backup tunnel. For example, ATL -Atlanta could use DFW -Dallas as a backup remote endpoint. If you leave this field empty, the endpoint will not have a backup tunnel. The BIO determines how tra ic will be handled if a single or single and backup tunnel go down.
. Repeat these steps for each endpoint. TIP: To delete an endpoint, click the X in the last column in the table.
. Click Save. Updates are orchestrated immediately.
AE
B
. Click Remote Endpoint Configuration. The Add Remote Endpoints for Netskope dialog box opens.
. Click Import to import a list of remote endpoints from a CSV file. The CSV file must contain columns for name, IP address, interface label, pre-shared key, probe address, and backup remote endpoint, in that order. NOTE: Remove any header rows before you import the file.
. Click Choose File. . Navigate to the file, select the file, and then click Open. . Click Save.
Updates are orchestrated immediately.
BE
To make bulk edits to the table: . Click Export. . Open the CSV file and delete the three header rows. . Modify, save, and close the file. . Click Import, and then click Choose File. . Locate and select the file, and then click Open. Orchestrator updates the table. . Click Save.
I
L
Select the Primary and Backup interface labels for your tra ic. Backup interface labels will be used if the primary interface labels are unreachable.
NOTE: Netskope does not support Active Active backup.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
. Click Interface Labels. The Build Tunnels using these Interfaces for Netskope dialog box opens.
. Drag the interface labels you want to use into the Primary area. (The Peer/Service names in the Tunnels table will be NSK_Primary_ and NSK_Primary_ .)
. Drag the interface labels you want to use into the Backup area. (The Peer/Service names in the Tunnels table will be NSK_Backup_ and NSK_Backup_ .)
. Drag the interface labels up or down to reorder the list as necessary. . Click Save.
T
S
Click Tunnel Settings to configure the Netskope tunnel settings.
IP SLA S
. Click IP SLA Settings. The IP SLA Settings for Netskope dialog box opens.
. If all fields are dimmed, click Enable IP SLA rule orchestration. . Complete the following fields.
Field Monitor Address
Source interface
Description
Ping or HTTP/HTTPS. Netskope endpoint that the IP SLA subsystem will ping. Orchestrator prefills the Address field with the value from the Remote Endpoint Configuration table. You can configure up to three addresses. Select an orchestrated loopback label.
. Accept the default values for the remaining field, and then click Save. Orchestrator builds the tunnels.
PO
(O
)
When troubleshooting, you can click Pause Orchestration and then click Save to pause the service orchestration. To restart the service orchestration, click Resume Orchestration.
+BIO B
By default, the tunnels associated with a third-party service will be available for BIOs. You can upload an icon to display on the Business Intent Overlays tab. NOTE: Supported file types include PNG, JPEG, SVG, and WEBP. The recommended dimensions are x pixels.
. Click +BIO Breakout. The Configure BIO Breakout for Netskope dialog box opens.
. Click Upload Service Icon.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
. Locate and select the file, then click Open. . Click Save.
This icon will display next to the service name on the Business Intent Overlays tab. If you do not want this third-party provider to be available for BIOs, do the following:
. Click +BIO Breakout. The Configure BIO Breakout for Netskope dialog box opens.
. Clear the BIO Breakout check box. . Click Save.
R
E
A
The final step to configure the integration in Orchestrator is to associate EdgeConnect appliances with remote endpoints. Use this page to add or remove endpoints from an appliance. It is recommended that you associate one remote endpoint per EdgeConnect appliance.
. In the Orchestrator appliance tree, select one or more appliances to associate with Netskope remote endpoints.
. Click Remote Endpoint Association.
The Associate an Appliance to Netskope Remote Endpoints dialog box opens.
. Select the Add or Remove check box next to the endpoints you want to associate with the selected appliances. Be sure to add the endpoints that are geographically closest to the appliances.
. Verify the proposed changes to remote endpoints in the table to the right, and then click Save.
AT
LI
N
A er the Service Orchestration integration is complete in Orchestrator, you must add the local tunnel identifiers (IKE IDs) to Netskope. You can simplify this process by exporting the Netskope configuration to a CSV file. The exported file contains all of the configuration details in the table on the Netskope page for all selected appliances, including IKE IDs.
NOTE: The tunnel local identifier value is a fixed format: hostname_labelname@IPaddress. For example, EAST -AWS_INETA@ .x.x.xxx.
. In the Orchestrator appliance tree, select all appliances associated with Netskope remote endpoints.
. On the Netskope page on the Service Orchestration tab, click Export to save the contents of the table to a CSV file.
. Log in to Netskope.
. In the IPSec configuration panel, replace the Source Identity values with the corresponding Tunnel Local Identifiers (IKE IDs) created by Orchestrator.
V
A er Netskope is configured and the Netskope policy is applied successfully in the BIO, deployment will begin automatically. Go to the Netskope tab and view the Connection Status column to verify that the deployment was successful.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
SU N S
To set up a new third-party service: . Click +Add Service and complete the following fields.
Field
Name Prefix
Description
Name of the new service. A prefix to assign to all tunnels for this service. Orchestrator will use this prefix to filter tunnels and IP SLAs.
. Click Save. A new tab is created on the Service Orchestration page. TIP: To edit or delete a service, click the edit icon next to the service name.
. Select the tab for the new service and follow the steps explained in Set Up Netskope Integration to integrate this new service.
Deploy Cloud Hubs
You can deploy one or more EdgeConnect Virtual (EC-V) appliances in supported platforms. At this time, AWS and Azure are supported.
Before you begin, complete the following tasks:
. On the AWS dashboard or the Azure portal, create an Identity and Access Management (IAM) user account with required permissions for Orchestrator to create resources. A dedicated IAM user account for Orchestrator is recommended.
. Create a policy that contains all permissions the Orchestrator requires to create an EC-V.
. Attach the policy to the Orchestrator's IAM user account.
. Download the Security credentials of the Orchestrator's IAM user account.
. If you are deploying EV-Cs in AWS, on the EC dashboard, create a key pair to assign to the EC-V. You will need this key pair if you want to SSH into the EC-V a er the deployment.
A er creating the IAM account, click New Deployment on the Cloud Hubs in AWS or Cloud Hubs in Azure tab to configure and deploy one or more EC-V cloud instances.
A er deploying an EC-V in the cloud, navigate to the Discovered Appliances page in Orchestrator to view the deployment status. If the EC-V is still being deployed, the status in the Approve column will indicate Configuring. It takes approximately ten minutes to deploy and configure a cloud EC-V. Click Refresh Discovery Information to determine whether the appliance is ready to be approved into the SD-WAN fabric.
When configuration is complete and the green Approve button appears, the EC-V is fully configured in Inline Router mode with mgmt , wan , and lan MAC addresses assigned. While adding the EC-V, the Deployment Profile page will show LAN IP address, WAN IP address, WAN interface firewall mode, and WAN bandwidth value assigned by Orchestrator.
You can upgrade the appliance so ware version on a cloud EC-V a er approving and adding it to the SD-WAN fabric.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
A er a cloud EC-V has been deployed, you can add another EC-V into the same deployment. The new EC-V will use the same settings from the existing deployment configuration such as account, region, VPC, key pair, and instance type. You can deploy the new instance into an Availability Zone that is already used by an existing appliance or a new Availability Zone.
Cloud Hubs in AWS
Configuration > Cloud Services > IaaS > Deploy Cloud Hubs in AWS The Cloud Hubs in AWS tab provides the AWS account details and EC-V deployment configuration details for all cloud EC-Vs that have been deployed. Use this tab to:
· Create and modify AWS accounts · Deploy EC-Vs in the AWS cloud · Remove an AWS cloud deployment
NOTE: Before you can deploy EC-Vs to the AWS cloud, you must perform several tasks in AWS. For more information, see AWS Account Configuration. The following table describes each field on this tab.
Field Name VPC Account Instances
Status
Terminate Deployment Info Resources
Description
Name given on the deployment configuration page. CIDR block used for deployment. Name of the AWS account that was used to deploy the EC-Vs. Number of EC-V instances in the deployment. To add one or more EC-Vs to the deployment, click +Add. In the New Instance on AWS dialog box, select the availability zone to use and any optional tags to apply to the new instance.
Max indicates that the maximum number of instances have been created for the VPC CIDR block. Status of the deployment. If more information is available, an info icon is displayed.
NOTE: If the deployment was incomplete, the info dialog contains a link to download the log file and steps to resolve the issue. To permanently delete a deployment, click Terminate. This action deletes all resources associated with the EC-Vs, including all EC resources. Click the info icon in this column to view deployment and instance details, including the IP addresses associated with the mgmt , wan , and lan interfaces. Click the info icon in this column to view details about each AWS resource that Orchestrator created during the deployment. This information is helpful when, for example, you need to identify the IP address of a security group to add a user to.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Comment
Description
Comments that were added to the deployment when the EC-V was created. To edit the comment, click the edit icon.
C
M
AWS A
To create or modify an AWS account to Orchestrator:
. Click AWS Accounts. The AWS Accounts dialog box opens.
. Click New AWS Account or click the edit icon next to the account you want to edit. The AWS Account Configuration dialog box opens.
. Complete or modify the elements as necessary.
D
N EC-V
Click New Deployment to deploy one or more EC-V instances in AWS.
R
EC-V
If a deployment does not complete or you no longer want the EC-V in the AWS cloud, you can remove the deployment and all associated artifacts.
To remove a deployment, locate the deployment you want to remove, and then click Terminate in the desired row.
AWS Accounts
The AWS Accounts dialog box lists all of the AWS accounts that have been added.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· Click Add AWS Account to create a new account for EC-V deployments. · Click the edit icon next to an existing account to modify that account's details. NOTE: You cannot modify accounts that have active deployments.
AWS Account Configuration
Complete the following steps to create an AWS IAM user account with the required permissions for creating EC-V instances in AWS.
C
P
R
P
. Log in to the AWS Dashboard. . On the Find Services search menu, enter IAM to open the Identity and Access Management (IAM)
page. . Under Access Management, click Policies. The Policies page opens. . Click Create policy and click the JSON tab. . Delete the existing text. . Go to this web page, click the link for your version of Orchestrator, and then copy and paste the
JSON policy text into the editor. . Click Next: Tags. . (Optional) Add metadata to the policy by attaching tags as key-value pairs. . On the Review policy page, enter a name and optional description for the new policy. . Review the policy summary to see the permissions granted by your policy, and then click Create
policy to save your work.
A
P
O
IAM U A
. Click Users > Add user. The Add user page opens. . Enter a user name in the User name field (for example, ArubaOrchestrator).
. Under Access type, select Programmatic access, and clear the AWS Management Console access check box.
. Click Next: Permissions. . Under Set Permissions, click Attach existing policies. . Select the Policy document you created from the list, and then click Next: Review. . Under Permissions summary, click Add permissions.
D
O
IAM U A
C
. On the Users page, click the Security credentials tab. . Download or copy and paste the Access key ID and Secret key ID to a secure place for later use.
C
KP
A
EC-V
Review the instructions on this page to create a key pair on the AWS region where you plan to deploy the EC-V.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
A
AWS A
O
Complete the following fields for Orchestrator, and then click Save when finished.
Field Name
Access Key Secret Key Comment
Description
Enter a unique name. If you have multiple AWS accounts, you must enter a unique name for each account. Enter the Orchestrator IAM user's Access Key ID that you saved earlier. Enter the Orchestrator IAM user's Secret Key ID that you saved earlier. Enter a comment that provides any additional information about the AWS account.
Orchestrator validates the account information. This takes approximately seconds.
AWS Deployment Configuration
Use the AWS Deployment Configuration page to create one or more EC-V instances in an AWS region. NOTE: If you do not have an AWS account configured in Orchestrator, the AWS Deployment Configuration dialog box is blank. Click the Accounts link to create an AWS account.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Name AWS Account Region VPC CIDR
SSH Key Boost (Optional)
WAN Bandwidth Instance Type AWS Tags (Optional)
Comment (Optional)
Description
Enter a name for the deployment. This name is used only for identifying the deployment. A deployment consists of one or more EC-Vs that an Orchestrator creates in an AWS Virtual Private Cloud (VPC). Only alphanumerical letters and hyphens are allowed in the deployment name. The maximum allowed length is characters.
Select an AWS account to use for deploying the EC-V.
Select an AWS region where you want to deploy the EC-V.
Enter a VPC Classless Inter-Domain Routing (CIDR) block. The smallest supported CIDR block is / and the largest supported CIDR block is / . Orchestrator creates all AWS resources required for the EC-V deployment within this VPC. For each EC-V you deploy, Orchestrator creates three subnets that are / in size. In other words, if you deploy two EC-Vs, Orchestrator creates six subnets in total. This is true even if both EC-Vs are created in a single Availability Zone.
Select an existing AWS key pair to assign to the EC-V. A key pair must be created prior to the deployment.
Boost requires additional resources on an AWS EC instance. A er Boost and an appropriate WAN Bandwidth value are selected, Orchestrator displays the appropriate AWS instance types for the deployment on the Instance Type drop-down menu.
NOTE: Selecting the Boost check box does not enable Boost on the EC-V. It only allows Orchestrator to display appropriate AWS instance types that can support Boost for the selected WAN bandwidth. To enable Boost on the EC-V, go to the Deployment page and the Business Intent Overlay (BIO) page a er the deployment is complete.
The Bandwidth drop-down list displays the current EdgeConnect license tiers. A er you select a WAN Bandwidth value, Orchestrator displays the appropriate AWS instance types for the deployment on the Instance Type drop-down menu.
Based on your selection of Boost and WAN Bandwidth values, Orchestrator displays the appropriate AWS instance types on this drop-down menu.
Any comma-separated tags entered here are applied to all AWS resources that Orchestrator creates while deploying the EC-V. If you do not enter any tags, Orchestrator automatically creates a unique tag for each AWS resource that it creates while deploying the EC-V. This AWS tag is created to identify each resource created by Orchestrator. The tag is formatted as follows: sp-automated-deployment name-instance-index-resource name.
Enter an optional comment if you want to attach any additional details for the deployment.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Advanced Settings
Horizontally Scale Appliance Tag (Optional)
Description
Custom AMI ID: If you want to deploy the EC-V with a specific public or private image, provide the AMI ID. You can obtain the AMI ID from the AWS console.
Leave this field blank to allow Orchestrator to deploy the EC-V with the base AMI obtained from the AWS Marketplace. You can deploy multiple EC-Vs by clicking + and selecting the Availability Zone for each EC-V. If the selected region supports multiple Availability Zones, each Availability Zone is shown on the drop-down menu. When deploying multiple EC-Vs, it is best practice to deploy each EC-V in a unique Availability Zone. Enter an Appliance Tag on this field if you want to assign a pre-configuration file to the deployment. If this field is le blank, Orchestrator will automatically assign an Appliance Tag for its own configuration purposes.
When you have completed all of the required fields, click Review and Deploy. Review the configuration summary, and click Deploy to create the EC-V instances.
Cloud Hubs in Azure
Configuration > Cloud Services > IaaS > Cloud Hubs in Azure The Cloud Hubs in Azure tab provides the Azure account details and EC-V deployment configuration details for all Azure cloud EC-Vs that have been deployed. NOTE: Before you can deploy EC-Vs to the Azure cloud, you must perform several tasks on the Azure portal. For more information, see Azure Subscription Configuration. NOTE: EC-Vs that are deployed manually in Azure will not be displayed in Orchestrator. Use this tab to:
· Create and modify Azure subscriptions · Deploy EC-Vs in the Azure cloud · Remove an Azure cloud deployment
NOTE: When you remove a deployment, all EC-Vs in the deployment will be deleted.
The following table describes each field on this tab.
Field
Name Virtual Network Account
Description
Name given on the deployment configuration page. CIDR block used for deployment. Name of the Azure account that was used to deploy the EC-Vs.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Instances
Region Resource Group Status
Terminate
Deployment Info Resources Comment
Description
Number of EC-V instances in the deployment. To add one or more EC-Vs to the deployment, click +Add. In the New Instance on Azure dialog box, select the Availability Zone to use and any optional tags to apply to the new instance.
Max indicates that the maximum number of instances have been created for this deployment.
If the region you selected does not support Availability Zones, the new Instance in Azure dialog box will not display an Availability Zone menu. Region of the EC-V deployment. Name of the Azure Resource Group that was used for the EC-V deployment. Status of the deployment. If more information is available, an information icon is displayed.
NOTE: If the deployment was incomplete, the info dialog contains a link to download the log file and steps to resolve the issue. To permanently delete a deployment, click Terminate. This action deletes all resources associated with the EC-Vs, including all Azure resources.
If you created more than one EC-V in the deployment, all EC-Vs will be deleted when you click Terminate. The Resource Group that was used for the deployment will not be deleted. Click the info icon in this column to view deployment and virtual machine details. Click the info icon in this column to view details about each Azure resource that Orchestrator created during the deployment. Comments that were added to the deployment when the EC-V was created. To edit the comment, click the edit icon.
C
M
AS
Click Azure Subscriptions to create or modify an Azure subscription to Orchestrator.
D
N EC-V
Click New Deployment to deploy one or more EC-V instances in Azure.
R
EC-V
If a deployment does not complete or you no longer want the EC-V in the Azure cloud, you can remove the deployment and all associated artifacts.
To remove a deployment, locate the deployment you want to remove, and then click Terminate in the desired row.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Azure Subscriptions
The Azure Subscriptions dialog box lists all the Azure subscriptions that have been added to Orchestrator.
· Click New Azure Subscription to add a new Azure subscription. · Click the edit icon next an existing subscription to modify it's details.
NOTE: You cannot modify subscriptions that have active deployments.
ANA S
To add a new Azure subscription, click New Azure Subscription.
E
E
AS
To edit an existing Azure subscription:
. Click the edit icon next to an existing subscription to modify that subscription's details. The Azure Subscription Configuration dialog box displays. NOTE: You cannot modify subscriptions that have active deployments.
. Modify the elements as necessary. . Click Save.
Orchestrator validates the subscription information.
. Click Close.
Azure Subscription Configuration
Before you begin an EC-V deployment from the Orchestrator, you must perform the following tasks on the Azure portal.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
. Accept Azure Marketplace image terms for EdgeConnect to enable programmatic deployment . Create a New App Registration (also known as a Service Principle) . Create a New Resource Group . Create a Custom Role . Assign the Custom Role to the Resource Group
You will need the following information as noted in the steps below to add the Azure subscription to Orchestrator:
· Subscription ID · Tenant ID · Client ID · Client Secret
A
AM
IT
Accepting Azure Marketplace image terms for EdgeConnect is required for the Orchestrator to automatically deploy an EdgeConnect image from the Azure Marketplace. You will only need to do this once per Azure subscription.
. Log in to the Azure Portal.
. Under Azure services, click + Create a resource.
. On the Create a resource page, enter edgeconnect and select the Silver Peak Unity EdgeConnect option.
. On the Plan drop-down menu, select Silver Peak Unity EdgeConnect . . . , and then click Get started.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
. On the Configure Programmatic Deployment page, select Enable next to the subscription ID that you want to use to deploy the EdgeConnect VMs.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
. Click Save. A message at the top of the screen notifies you when configuration updates are complete.
C
N AR
To create a new App registration:
. Log in to the Azure Portal. . Click the + New registration button. . In the main search menu, enter app registrations and click App registrations. . On the Register an application page, in the Name field, enter a user-facing display name for the
application. . Under Supported account types, select Accounts in this organizational directory only (Default
Directory only - single tenant). . Optional: Enter a redirect URI. . Click Register.
NOTE: Note the Application (client) ID and Directory (tenant) ID. You will need these IDs when you add the subscription details on the Orchestrator. . Under Manage, click Certificates & secrets. . Click New client secret. . Enter a Description and Expiration Date. . Click Add. A new client secret is created. . Copy the text in the Value column. NOTE: This text can only be viewed immediately a er creation. Be sure to save the secret before leaving the page. . On the main search menu bar, enter subscription and press Enter. . Copy the subscription ID. You have successfully registered your application and gathered the details that are required for adding the Azure subscription details on the Orchestrator. Continue to Create a New Resource Group.
C
NR
G
Creating a new Resource Group on the Azure portal is a best practice. This ensures that the Aruba Orchestrator only has access to that Resource Group to deploy EC-Vs. However, it is possible to deploy one or more EC-Vs into an existing Resource Group that contains other Azure resources.
To create a new resource group:
. On the main search menu, enter resource group, and then select the Resource groups menu. . Click + Create. . On the Create a resource group page, select the subscription that you want to use to create the
resource group. . Enter a name for the resource group, and then select a region.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
. Click Review + create. . Click Create.
Continue to Create a Custom Role.
C
C
R
You must have Owner or User Access Administrator permissions to create custom roles. There are multiple ways to create a custom role. The following steps create a custom role from within the Resource Group that you created.
. Select the resource group you created in Create a New Resource Group, and then click Access control (IAM).
. Click Add, and then click Add custom role.
The Custom Roles editor opens (the Basic tab is displayed).
. In the Custom role name field, enter a name for the custom role. The name must be unique for the Azure AD directory. The name can include letters, numbers, spaces, and special characters.
. In the Description field, enter an optional description for the custom role. The description will display in the tool tip for the custom role.
. Accept the default value for the Baseline permissions, and then click the JSON tab.
. Click Edit.
. Go to this web page, and then click the link for your version of Orchestrator.
. Copy the list of Azure permissions, and then paste the list within the square brackets under Actions (line ), as shown in the following figures.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
. Click Save.
. Click the Assignable scopes tab. Verify that the resource group you created is added as an assignable scope and Type is set to the resource group.
. Click the Permissions tab. Verify that the permissions, descriptions, and permission types you added are listed.
. Click Review + create.
. Click Create. A message displays to confirm that you have successfully created your custom role. Continue to Assign the Custom Role to the Resource Group.
A
C
R
R
G
. Navigate to the Resource Group you created, and then click Access control (IAM).
TIP: If you just completed the previous task of creating a custom role, the Access control (IAM) page is already open.
. Click Add, and then click Add role assignment. The Role assignment page opens. . On the Role tab, enter the name of your custom role.
TIP: If the role you created is not displayed, refresh the page. . Select the custom role, and then click Next. The Members tab opens. . Ensure that User, group, or service principle is selected, and then click + Select members. The
Select members page opens. . Enter the name of your App registration (Service Principle), and then select your app and click
Select. Your app is added under Members. . Click Review + assign. . Click Review + assign again.
You have successfully assigned your custom role to the resource group. Continue to Add the Azure Subscription to Orchestrator.
A
AS
O
To add the Azure subscription to Orchestrator:
. Log in to Orchestrator. . Click Configuration > IaaS > Cloud Hubs in Azure. . Click Azure Subscriptions. . Click Add Azure Subscriptions. . Enter the Subscription ID, Tenant ID, Client ID, and Client Secret for the Azure subscription.
NOTE: If you copy and paste the subscription ID, Azure might add a blank space to the beginning of the subscription ID. Be sure to remove all spaces from your subscription ID. . Click Save. Orchestrator validates the subscription information.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Deployment Configuration Azure
Use the Deployment Configuration Azure dialog box to create one or more EC-V instances in Azure. NOTE: If you do not have an Azure subscription configured in Orchestrator, the Azure Deployment Configuration dialog box is blank. Click the Subscriptions link to create an Azure subscription.
Field Name
Azure Account Region Virtual Network CIDR
Description
Enter a name for the deployment. This name is used only for identifying the deployment. A deployment consists of one or more EC-Vs that an Orchestrator creates in an Azure Virtual Network. Only alphabetical letters and hyphens are allowed in the deployment name. The maximum allowed length is characters.
Select an Azure account to use for deploying the EC-V.
Select an Azure region where you want to deploy the EC-V.
Enter a Virtual Network Classless Inter-Domain Routing (CIDR) block. The smallest supported CIDR block is / and the largest supported CIDR block is / . Orchestrator creates all Azure resources required for the EC-V deployment within this virtual network. For each EC-V you deploy, Orchestrator creates three subnets that are / in size. In other words, if you deploy two EC-Vs, Orchestrator creates six subnets in total. This is true even if both EC-Vs are created in a single Availability Set or Availability Zone.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Boost
WAN Bandwidth Instance Type Availability Option SSH Public Key
Description
A er Boost and an appropriate WAN Bandwidth value are selected, Orchestrator displays the appropriate Azure instance types for the deployment on the Instance Type menu.
NOTE: Selecting Boost does not enable Boost on the EC-V. It only allows Orchestrator to display appropriate Azure instance types that can support Boost for the selected WAN bandwidth. To enable Boost on the EC-V, go to the Deployment page and the Business Intent Overlay (BIO) page a er the deployment is complete. The WAN bandwidth list displays the current EdgeConnect license tiers. A er you select a WAN Bandwidth value, Orchestrator displays the appropriate Azure instance types for the deployment in the Instance Type list. Based on your selected Boost and WAN Bandwidth values, Orchestrator displays the appropriate instance types. Select Availability Set or Availability Zone. Some regions only support Availability Set. Aruba recommends selecting Availability Zone, if it is available. Generate a public key with an application, such as PuTTYgen, and then input the value here.
IMPORTANT: EdgeConnect only supports single-line SSH public keys. Do not use multi-line SSH public keys.
Use this:
Azure Tags (Optional)
Comment (Optional) Advanced Settings
NOTE: Save the private key file. If you need to log in via SSH to the appliance a er it is deployed, you will need this key.
Any comma-separated tags entered here are applied to all Azure resources that Orchestrator creates while deploying the EC-V. If you do not enter any tags, Orchestrator automatically creates a unique tag for each Azure resource that it creates while deploying the EC-V. This Azure tag is created to identify each resource created by Orchestrator. The tag is formatted as follows: sp-automateddeployment name-instance-index-resource name.
Enter an optional comment if you want to attach any additional details for the deployment.
Custom VHD: Leave this field blank unless you have an EdgeConnect VHD that you want to use for the deployment. When this field is blank, the Azure Marketplace image is deployed.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Horizontal Scale
Appliance Tag (Optional) Availability Zone
Description
You can deploy multiple EC-Vs by clicking + and selecting the Availability Set or Availability Zone for each EC-V. If the selected region supports multiple Availability Zones, each Availability Zone displays on the menu. You can deploy up to EC-Vs with a CIDR block of / .
If you need to deploy more than five EC-Vs within a single virtual network, select a virtual network CIDR block that is bigger than / , such as / or / . The maximum number of EC-Vs you can deploy within a single network is . Enter an Appliance Tag. If this field is le blank, Orchestrator automatically assigns an Appliance Tag for its own configuration purposes. Enter the Azure Availability Zone for the EC-V.
NOTE: This field only displays if the region supports Availability Zones.
When you have completed all the required fields, click Review and Deploy. Review the configuration summary, and then click Deploy to create the EC-V instances.
Administration
The menus under Administration are related to appliance administration. They include general settings, so ware management, and tools for troubleshooting and maintenance, and are organized as follows:
· General Settings · So ware · Tools
Administration > General Settings
The options under Administration > General Settings focus on how to apply and manage the core settings for Orchestrator appliances, including user accounts, date/time, flows, certificates, SNMP, and more.
Appliance User Accounts Tab
Administration > General Settings > Users & Authentication > Users This tab provides data about the user accounts on each appliance.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
The EdgeConnect appliance's built-in user database supports user names, groups, and passwords. · Each appliance has two default user accounts, admin and monitor, that cannot be deleted. · Each User Name belongs to one of two user groups: admin or monitor. The monitor group supports reading and monitoring of all data, in addition to performing all actions. This is equivalent to the Command Line Interface's (CLI) enable mode privileges. The admin group supports full privileges, along with permission to add, modify, and delete. This is equivalent to the CLI's configuration mode privileges. · Named user accounts can be added by using the Appliance Manager or the Command Line Interface (CLI). · User Names are case-sensitive. · The table lists all users known to the appliances, whether or not their accounts are enabled.
Appliance User Accounts Edit Row
This dialog box provides data about the user accounts on an appliance. The EdgeConnect appliance's built-in user database supports user names, groups, and passwords.
· Each appliance has two default user accounts, admin and monitor, that cannot be deleted. · Each User Name belongs to one of two user groups: admin or monitor.
The monitor group supports reading and monitoring of all data, in addition to performing all actions. This is equivalent to the Command Line Interface's (CLI) enable mode privileges.
The admin group supports full privileges, along with permission to add, modify, and delete. This is equivalent to the CLI's configuration mode privileges.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· Named user accounts can be added by using the Appliance Manager or the Command Line Interface (CLI).
· User Names are case-sensitive.
· The table lists all users known to the appliances, whether or not their accounts are enabled.
Auth/RADIUS/TACACS+ Tab
Administration > General Settings > Users & Authentication > Auth/RADIUS/TACACS+ This tab displays the configured settings for authentication and authorization. If the appliance relies on either a RADIUS or TACACS+ server for those services, those settings are also reported. All settings are initially applied via the Auth/RADIUS/TACACS+ configuration template.
A
A
Authentication and Authorization Fields
Field Appliance Name Authentication Order
Authorization Map Order
Authorization Default Role Authentication Authorization Map Order
Description
Name of the appliance selected.
When it is possible to validate against more than one database (local, RADIUS server, TACACS+ server), Authentication Order specifies which method to try in what sequence: Authentication Order First, Order Second, and Order Third.
Map ordering determines which server is used first. Select the map ordering from the drop-down list: Local-Only, Remote-First, and Remote-Only. The default (and recommended) value is Remote-First.
Default role assigned for authorization. The default (and recommended) value is admin.
Process of validating that the end user, or a device, is who they claim to be.
Action of determining what a user is allowed to do. Generally, authentication precedes authorization.
Default (and recommended) value is Remote First.
RADIUS TACACS+
RADIUS and TACACS+ Server Fields
Field Auth Port
Auth Type Enabled
Description
For RADIUS, the default value is . For TACACS+, the default value is . TACACS+ The options are pap or ascii. Whether or not the server is enabled.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field
Retries Server Type Timeout
Description
Number of attempts allowed before lockout. RADIUS or TACACS+ If a logged-in user is inactive for an interval that exceeds the inactivity time-out, the appliance logs them out and returns them to the login page. You can change that value, as well as the maximum number of sessions, in the Session Management template.
Auth/RADIUS/TACACS+ Edit Row
Select the Authentication Order and Authorization information in this dialog box. You can also add a RADIUS and TACACS+ Server by clicking Add under each section.
A
O
Choose which authentication database you want to be First, Second, and Third from the designated drop-down lists.
A
I
Select the Map Order and the Default Role from the designated drop-down lists. This tab displays the configured settings for authentication and authorization. If the appliance relies on either a RADIUS or TACACS+ server for those services, those settings are also reported. All settings are initially applied via the Auth/RADIUS/TACACS+ configuration template.
A
A
Authentication and Authorization Fields
Field Authentication Authorization Authentication Order
Map Order Default Role
Description
Process of validating that the end user, or a device, is who they claim to be. Action of determining what a user is allowed to do. Generally, authentication precedes authorization. When it is possible to validate against more than one database (local, RADIUS server, TACACS+ server), Authentication Order specifies which method to try in what sequence. Default is Local-first. Default (and recommended) value is Remote First.
Default (and recommended) value is admin.
RADIUS TACACS+
RADIUS and TACACS+ Server Fields
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field
Order Auth Port
Auth Type Enabled Retries Server Type Timeout
Description
Method RADIUS and TACAC+ specifies first local first. For RADIUS, the default value is . For TACACS+, the default value is . TACACS+ The options are pap or ascii. Whether or not the server is enabled. Number of attempts allowed before lockout. RADIUS or TACACS+. If a logged-in user is inactive for an interval that exceeds the inactivity time-out, the appliance logs them out and returns them to the login page. You can change that value, as well as the maximum number of sessions, in the Session Management template.
Date/Time Tab
Administration > General Settings > Setup > Date/Time This tab highlights significant time discrepancies among the devices recording statistics.
If the date and time of an appliance, the Orchestrator server, and your browser are not all synchronized, charts (and statistics) inevitably have di erent timestamps for the same data, depending on which device you use to view the reports. TIP: For consistent results, configure the appliance, the Orchestrator server, and your PC to use an NTP (Network Time Protocol) server.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . . To specify date and time settings for your appliances, click the Edit icon.
January ,
Date/Time Dialog Box
Use this dialog box to configure a synchronized date and time across your Orchestrator server, appliances, and NTP server. Complete the following steps to begin.
. From the Time Zone drop-down list, select the current time zone that is applicable to your network.
. Select either Manual or NTP Time Synchronization.
· Manual: Select either Manual or NTP Time Synchronization. · NTP: Click Add, and then enter the IP address of the NTP Server along with the version.
. Click Apply.
DNS (Domain Name Servers) Tab
Administration > General Settings > Setup > DNS This tab lists the Domain Name Servers that the appliances reference.
A Domain Name Server (DNS) uses a table to map domain names to IP addresses so you can reference locations by a domain name, such as mycompany.com, instead of using the IP address.
Each appliance can support up to three name servers.
Field
Appliance Name Primary DNS IP addr Secondary DNS IP addr Tertiary DNS IP addr
Description
Name of the appliance. IP address of the DNS the system uses first. IP address of the DNS the system uses second. IP address of the DNS the system uses last.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . . To add the three domain name servers, click the Edit icon.
January ,
DNS (Domain Name Servers) Edit Row
On this dialog box, you can configure up to three name servers. Enter the three server DNS IP addresses, and then click Add to apply the name to the domain.
SNMP Tab
Administration > General Settings > Setup > SNMP This tab summarizes the SNMP configuration for each of the selected appliances.
SNMP O
EdgeConnect appliances support Management Information Base (MIB-II) as described in RFC for cold start traps, warm start traps, and EdgeConnect private MIBs. Appliances issue an SNMP trap during reset when loading a new image, recovering from a crash, or rebooting. An appliance sends a trap every time an alarm is raised or cleared. Traps contain additional information about alarms, including severity, sequence number, a text-based description of the alarm, and the time the alarm was created. For more information, you can download a .zip archive containing supported MIBs here.
M SNMP C
To modify the SNMP configuration, click the Edit icon to the le of an appliance row. Use this page to configure the appliance's SNMP agent and trap receivers.
. To activate configuration options for SNMP v /v , SNMP v , and Trap Receivers details, select the Enable SNMP check box.
. If you select the Enable SNMP Traps check box, the SNMP agent on the appliance sends traps to configured receivers.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
. Use the Default Trap Community field to specify the string the trap receiver uses to accept traps being sent to it. The default value is public. You can modify this value.
SNMP / Configure the following fields for SNMP v and v c.
Field Enable SNMP Read-Only Community
Description
Allows the SNMP agent on the appliance to send traps to configured receivers. The SNMP application needs to present this text string (secret) to poll the appliance's SNMP agent. The default value is public. You can modify this value.
SNMP
For additional security, configure SNMP v if you want to authenticate without using clear text. To add an SNMP v user, click Add above the SNMP v table and configure the following properties:
Field Enabled Username Authentication Type
Authentication Password
Privacy Type
Privacy Password
Description
Select this check box to enable the selected user. Clear this check box to disable the user and maintain the configuration. Enter the username to identify the SNMP v user. Select the authentication type to use for SNMP requests from the user.
NOTE: Authentication type is required and SHA- is the only supported algorithm. Enter a password that the SNMP agent can use to authenticate requests sent by the user.
NOTE: The password must be at least characters long. Select the encryption type to use for encrypting requests from the SNMP user.
NOTE: Encryption is required, and AES- is the only supported algorithm. Enter a password (key) to use for encrypting requests sent by the user.
NOTE: The password must be at least characters long.
To delete an SNMP v user, click the X to the right of the entry in the table.
TR To configure a trap receiver, click Add above the Trap Receivers table and configure the following properties:
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
NOTE: You can configure up to three trap receivers per appliance.
Field
Host Version Community/Username
Description
IP address of the host where traps should be sent. Select the SNMP version of the trap receiver. For v and v c, enter the community string the receiver should use to accept traps. If le blank, the default community string (public) is used. If a di erent community string is configured on the trap receiver, enter it here.
Enabled
For v , specify the SNMP v user that is sending traps to the receiver.
Select this check box to enable the receiver. Clear this check box to disable the receiver and maintain the configuration.
To delete a receiver, click the X to the right of the entry in the table.
Modify SNMP Configuration
Use this dialog box to configure the appliance's SNMP agent and trap receivers.
. Select the Enable SNMP check box to activate configuration options for SNMP v /v , SNMP v , and Trap Receivers details.
. If you select the Enable SNMP Traps check box, the SNMP agent on the appliance sends traps to configured receivers.
. Use the Default Trap Community field to specify the string the trap receiver uses to accept traps being sent to it. The default value is public. You can modify this value.
SNMP /
Configure the following fields for SNMP v and v c.
Field Enable SNMP Read-Only Community
Description
Allows the SNMP agent on the appliance to send traps to configured receivers. The SNMP application needs to present this text string (secret) to poll the appliance's SNMP agent. The default value is public. You can modify this value.
SNMP
For additional security, configure SNMP v if you want to authenticate without using clear text. To add an SNMP v user, click Add above the SNMP v table and configure the following properties:
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Enabled Username Authentication Type
Authentication Password
Privacy Type
Privacy Password
Description
Select this check box to enable the selected user. Clear this check box to disable the user and maintain the configuration. Enter the username to identify the SNMP v user. Select the authentication type to use for SNMP requests from the user.
NOTE: Authentication type is required and SHA- is the only supported algorithm. Enter a password that the SNMP agent can use to authenticate requests sent by the user.
NOTE: The password must be at least characters long. Select the encryption type to use for encrypting requests from the SNMP user.
NOTE: Encryption is required, and AES- is the only supported algorithm. Enter a password (key) to use for encrypting requests sent by the user.
NOTE: The password must be at least characters long.
To delete an SNMP v user, click the X to the right of the entry in the table.
TR
To configure a trap receiver, click Add above the Trap Receivers table and configure the following properties: NOTE: You can configure up to three trap receivers per appliance.
Field
Host Version Community/Username
Description
IP address of the host where traps should be sent. Select the SNMP version of the trap receiver. For v and v c, enter the community string the receiver should use to accept traps. If le blank, the default community string (public) is used. If a di erent community string is configured on the trap receiver, enter it here.
Enabled
For v , specify the SNMP v user that is sending traps to the receiver.
Select this check box to enable the receiver. Clear this check box to disable the receiver and maintain the configuration.
To delete a receiver, click the X to the right of the entry in the table.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Flow Export Tab
Administration > General Settings > Setup > Flow Export
This tab summarizes how the appliances are configured to export statistical data to NetFlow and IPFIX collectors. The Flow Exporting Enabled setting allows the appliance to export the data to collectors. The appliance exports flows against two virtual interfaces--sp_lan and sp_wan--that accumulate the total of LAN-side and WAN-side tra ic, regardless of physical interface.
To open the Flow Export Configuration dialog box, click the Edit icon.
C
I
E
The following tables describe the Custom Information Elements.
Data Type: ipv Address
Custom IE Name and Implementation Description
clientIPv Address
Field Length Semantics Units (bytes)
default
Enterprise ID
TCP: source ipv address of SYN initiator is the client.
UDP: source ipv address of the first packet is the client.
serverIPv Address
default
TCP: destination ipv address of SYN initiator is the client.
UDP: destination ipv address of the first packet is the client.
connectionInitiator
default
TCP: source ipv address of SYN initiator is the connection initiator.
UDP: source ipv address of the first packet is the connection initiator.
Data Type: unsigned
Custom IE Name and Implementation Description connectionNumberOfConnections
Number of TCP connections ( -way handshake) or UDP sessions established.
Semantics
Field Length Units (bytes)
totalCounter
Enterprise ID
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
Custom IE Name and Implementation Description connectionServerResponsesCount Currently . connectionTransactionCompleteCount Currently .
January ,
Semantics
Field Length Units (bytes)
totalCounter
Enterprise ID
totalCounter
Data Type: unsigned
Custom IE Name and Implementation Description
connectionServerResponseDelay
Semantics
Field Length Units (bytes)
MS
TCP: Round-trip time between SYN and SYN-ACK.
UDP: Round-trip time between first onward and return packet.
connectionNetworkToServerDelay
MS
TCP: Round-trip time between SYN and SYN-ACK.
UDP: Round-trip time between first onward and return packet. It is also called Server Network Delay (SND).
connectionNetworkToClientDelay
MS
TCP: Round trip between SYN-ACK and ACK.
UDP: Round-trip time between first response and second request packet. It is also called Client Network Delay (CND).
connectionClientPacketRetransmissionCount
totalCounter
Currently .
connectionClientToServerNetworkDelay
MS
Network Time/Network Delay is known as the round-trip time that is the summation of CND and SND. It is also called Network Delay (ND).
Enterprise ID
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Custom IE Name and Implementation Description
connectionApplicationDelay
Semantics
TCP: Round-trip time between SYN and SYN-ACK.
UDP: Round-trip time between first onward and return packet.
connectionClientToServerResponseDelay
The round-trip time that is the summation of CND and SND.
connectionTransactionDuration
The flow displays the time di erence between the first and last packet.
connectionTransactionDurationMin
The flow displays the time di erence between the first and last packet.
connectionTransactionDurationMax
The flow displays the time di erence between the first and last packet.
Field Length Units (bytes) MS
MS MS MS MS
Enterprise ID
Data Type: unsigned
Custom IE Name and Implementation Description
connectionServerOctetDeltaCount
Server initiated byte count. If flow is lan to wan, Lan-Tx byte counter. If flow is wan to lan Lan-Rx byte counter. connectionServerPacketDeltaCount
Server initiated byte count. If flow is lan to wan, Lan-Tx byte counter. If flow is wan to lan Lan-Rx byte counter. connectionClientOctetDeltaCount
Server initiated byte count. If flow is lan to wan, Lan-Tx byte counter. If flow is wan to lan Lan-Rx byte counter.
Semantics Units deltaCounter octets
Field Length (bytes)
deltaCounter packets
deltaCounter octets
Enterprise ID
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Custom IE Name and Implementation Description
connectionClientPacketDeltaCount
Server initiated byte count. If flow is lan to wan, Lan-Tx byte counter. If flow is wan to lan Lan-Rx byte counter.
Semantics
Units
Field Length (bytes)
deltaCounter packets
Enterprise ID
Data Type: String
Custom IE Name and Implementation Description
applicationHttpHost
HTTP destination domain name. applicationCategory
Application group. from-zone
(Source Zone) name for the flow when ZBF is configured. to-zone
(Destination zone) name for the flow when ZBF is configured. tag
User-specified readable string/tag that can be specified when the ZBF rule is configured. If "tag" is not specified, an automatic tag will be created and exported. The automatic/default tag is constructed by concatenating <from-zone>_<to-zone>_<rule priority>. For example, "lan-zone_corp-zone_ ". overlay
Overlay name the zone belongs to. direction
Direction of the flow: outbound or inbound.
Field Length Semantics Units (bytes)
default
variable length
default
variable length
default
variable length
variable length
default
variable length
default default
variable length
variable length
Enterprise ID
Flow Export Edit Row
The following table describes the Flow Export configuration options.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field
Enable Flow Exporting Active Flow Timeout IPFIX Template Timeout Tra ic Type Information Elements
Description
Move the toggle to enable or disable flow exporting. Amount of time an active flow has been timed out (in minutes). Resending of templates based on a timeout. Check as many of the tra ic types as you want. The default is WAN TX. Check Firewall Zones, Application Performance, or both.
· If you check Firewall Zones:
Orchestrator generates data based specifically on the zone-based firewalls associated with the specified flow.
For example: Host Name, From Zone, To Zone, Tag, Action, Direction, and so forth.
· If you check Application Performance:
Orchestrator generates data based specifically on the application performance associated with each flow.
For example: clientIPv Address, serverIPv Address, connectionInitiator, applicationHttpHost, and so forth.
These interfaces appear in SNMP and are, therefore, "discoverable" by NetFlow and IPFIX collectors.
The Collector's IP Address is the IP address of the device to which you are exporting the NetFlow/IPFIX statistics. The default Collector Port is .
· For more information about IPFIX and the associated Custom Information Elements (IEs), see Cloud Information Elements.
Logging Tab
Administration > General Settings > Setup > Logging This tab summarizes the following configured logging parameters:
· Log Configuration refers to local logging. · Log Facilities Configuration refers to remote logging. The logs keep track of alarms, events, and any other issues involving your appliances.
S
L
In order of decreasing severity, the levels are as follows:
Severity Level __EMER__GENCY ALERT
__CRIT__ICAL
Description
System is unusable. Includes all alarms the appliance generates: CRITICAL, MAJOR, MINOR, and WARNING. Critical event.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Severity Level
__ERR__OR WARNING NOTICE __INFO__RMATIONAL DEBUG NONE
Description
An error. This is a non-urgent failure. A warning condition. Indicates an error will occur if action is not taken. A normal, but significant, condition. No immediate action required. Informational. Used by Support for debugging. Used by Support for debugging. If you select NONE, no events are logged.
· The bolded part of the name is what displays in the log files.
· These are related to event logging levels, not alarm severities, even though some naming conventions overlap. Events and alarms have di erent sources. Alarms, when they clear, list as the ALERT level in the Event Log.
R
L
· You can configure the appliance to forward all events, at and above a specified severity, to a remote syslog server.
· A syslog server is independently configured for the minimum severity level that it will accept. Without reconfiguring, it might not accept as low a severity level as you are forwarding to it.
· Each message/event type (System / Audit / Flow / Ids) is assigned to a syslog facility level (local to local ).
Logging Edit Row
Use this dialog box to set the Log Settings, specify the Log Facilities, and add Remote Log Receivers.
LS
Setting Minimum severity level Start new file when log reaches
Keep at most log files
Description
Minimum severity level that the system will log. Enter the maximum amount you want Orchestrator to generate a new file at. The limit is MB. Amount of log files you want stored. is the maximum amount.
LF
C
Select the log facilities you want the System, Audit, Flow, and Ids logs to use. You can choose between Local and Local for each.
R
LR
Click Add and enter the IP address of the remote log receiver you want to add.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
Banners Tab
Administration > General Settings > Setup > Banners This tab lists the banner messages on each appliance.
January ,
Each appliance can have two banner messages: · The Login Message appears before the login prompt. · The Message of the Day appears a er a successful login.
To enter your banner message, click the Edit icon.
Banners Edit Row
Enter your message in the boxes, and then click Apply.
HTTPS Certificate Tab
Administration > General Settings > Setup > HTTPS Certificate The VXOA so ware includes a self-signed certificate that secures the communication between the user's browser and the appliance. You also have the option to install your own custom certificate, acquired from a CA certificate authority.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
To use a custom certificate with a specific appliance:
. Consult with your IT security team to generate a certificate signing request (CSR), and then submit it to your organization's chosen SSL Certificate Authority (CA). Examples of Certificate Authorities include GoDaddy, Verisign, Comodo, Symantec, Microso Entrust, GeoTrust, and so forth.
· For a list of what is supported, refer to EdgeConnect and Orchestrator Security Algorithms. · All certificate and key files must be in PEM format.
. A er the Certificate Authority provides a CA-verified certificate:
· If your IT security team advises the use of an Intermediate CA, use an Intermediate Certificate File. Otherwise, skip this file.
· Click the Edit icon next to the target appliance, and upload the certificate file from the CA. · Upload the Private Key File that was generated as part of the CSR.
. To associate the CA-verified certificate for use with Orchestrator, click Add.
HTTPS Certificate Edit Row
Select one of the following two options:
· Self Signed Certificate The VXOA so ware includes a self-signed certificate that secures the communication between the user's browser and the appliance.
· Custom Certificate You also have the option to install your own custom certificate, acquired from a CA certificate authority.
To use a custom certificate with a specific appliance:
. Consult with your IT security team to generate a certificate signing request (CSR), and then submit it to your organization's chosen SSL Certificate Authority (CA). Examples of Certificate Authorities include GoDaddy, Verisign, Comodo, Symantec, Microso Entrust, GeoTrust, and so forth.
· For a list of what is supported, refer to EdgeConnect and Orchestrator Security Algorithms. · All certificate and key files must be in PEM format.
. A er the Certificate Authority provides a CA-verified certificate:
· If your IT security team advises the use of an Intermediate CA, use an Intermediate Certificate File. Otherwise, skip this file.
· Click the Edit icon next to the target appliance, and Upload the Certificate File from the CA. · Upload the Private Key File that was generated as part of the CSR.
. To associate the CA verified certificate for use with Orchestrator, click Add.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Orchestrator Reachabililty Tab
Administration > General Settings > Setup > Orchestrator Reachability You can specify how each appliance connects to Orchestrator by designating one of its interface Labels.
Custom Appliance Tags
Administration > General Settings > Setup > Custom Appliance Tags Use this tab to create and assign tags to an appliance or a group of appliances. A tag acts as a filter or identity when searching for appliances. Complete the following steps to create a custom tag.
. Click the Edit icon. . Click the selected row in Key, and then enter the name of the tag you want to use. . Click the selected row in Value, and then enter a brief description of what the tag represents. . Click Apply. NOTE: You can create up to eight tags.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Administration > So ware
The options under Administration > So ware focus on so ware-related tasks such as managing system information with templates, upgrading appliance so ware, configuring and restoring backups, and removing appliances from Orchestrator.
System Information
Administration > So ware > Upgrade > System Information You can manage system information with templates (except for Deployment Mode, which is an appliance-specific configuration). To change a Deployment Mode, navigate to Configuration > Networking > Deployment. When you click the Edit icon next to a specific appliance, the following two screens are available: System Summary
System Settings Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
The following table describes the properties and configuration options available in these templates.
Property Key Active Release
Allow WAN to WAN routing Always send pass-through tra ic to original sender
Appliance ID Appliance Key
Appliance Model Auto Flow Re-Classify BIOS Version
Description
Specifies the so ware release the appliance is running. Redirects inbound LAN tra ic back to the WAN. If the tunnel goes down when using WCCP and PBR, tra ic that was intended for the tunnel is sent back the way it came. Unique identifier for the appliance. Orchestrator assigns and uses this key to identify the appliance. Specific EC, EC-V, NX, VX, or VRX model. Specifies how o en to do a policy lookup. Version of BIOS firmware that the appliance is using.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . . Property Key Bridge Loop Test
Configured Media Type Connection Type Contact Email Contact Name Discovery Method
Enable default DNS lookup Enable Health check Enable HTTP/HTTPS snooping Enable IGMP snooping
Encrypt data on disk Excess flow policy
January ,
Description
Only valid for virtual appliances. When enabled, the appliance can detect bridge loops. If it detects a loop, the appliance stops forwarding tra ic and raises an alarm. Appliance alarms include recommended actions. Is either ram and disk (VX) or ram only (VRX). Can be changed for special circumstances if recommended by Support. Method that Orchestrator uses to communicate with the appliance. Options are WEBSOCKET, PORTAL, and HTTP. Email address of the person to contact within your organization (optional). Name of the person to contact within your organization (optional). Specifies how Orchestrator discovered the appliance:
PORTAL: Orchestrator discovered the appliance through the portal account.
MANUAL: The appliance was added manually.
APPLIANCE: The Orchestrator IP address was added to the appliance. Portal was not involved. Allows the appliance to snoop the DNS requests to map domains to IP addresses. This mapping then can be used in ACLs for tra ic matching. Activates pinging of the next hop router.
Enables a more granular application classification of HTTP/HTTPS tra ic by inspection of the HTTP/HTTPS header, Host. This is enabled by default. IGMP snooping is a common Layer LAN optimization that filters the transmit of multicast frames only to ports where multicast streams have been detected. Disabling this feature floods multicast packets to all ports. IGMP snooping is recommended and enabled by default. Enables encryption of all the cached data on the disks. Disabling this option is not recommended. Specifies what happens to flows when the appliance reaches its maximum capacity for optimizing flows. The default is to bypass flows. Or, you can choose to drop the packets.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . . Property Key Flows and tunnel failure
Hold down count
Hub Site? Interval IP Directed Broadcast IP Id auto optimization
IPSec UDP Port Location Maintain end-to-end overlay mapping Maximum TCP MSS
Media Type Mode Model NAT-T keep alive time
January ,
Description
If there are parallel tunnels and one fails, Dynamic Path Control determines where to send the flows. There are three options:
fail-stick: When the failed tunnel comes back up, the flows do not return to the original tunnel. They stay where they are.
fail-back: When the failed tunnel comes back up, the flows return to the original tunnel.
disable: When the original tunnel fails, the flows are not routed to another tunnel. If the link has been declared down, this specifies how many successful ICMP echoes are required before declaring that the link to the next hop router is up. Specifies whether the appliance has been assigned the role, Hub, in Orchestrator. Specifies the number of seconds between each ICMP echo sent. Allows an entire network to receive data that only the target subnet initially receives. Enables any IP flow to automatically identify the outbound tunnel and gain optimization benefits. Enabling this option reduces the number of required static routing rules (route map policies). Specifies the port that Orchestrator uses to build IPSec UDP tunnels. If the field is blank, Orchestrator uses the default. Appliance location, optionally specified during appliance setup. Enforces the same overlay to be used end-to-end when tra ic is forwarded on multiple nodes. Maximum Segment Size. The default value is bytes. This ensures that packets are not dropped for being too large. You can adjust the value ( to
) to lower a packet's MSS. Displays the actual media being used. Specifies the appliance's deployment mode: Server, Router, or Bridge. Specific EC, EC-V, NX, VX, or VRX model. If a device is behind a NAT, this specifies the rate at which to send keep alive packets between hosts to keep the mappings in the NAT device intact.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . . Property Key Non-accelerated TCP Flow Timeout Platform Quiescent tunnel keep alive time Region Retry count Serial / Serial Number Shell Access Status
Site Name SSL optimization for non-IPSec tunnels
January ,
Description
Specifies how long to keep the TCP session open a er tra ic stops flowing. The default is seconds ( minutes). Underlying cloud platform on which the EdgeConnect appliance runs, such as Amazon EC , Azure, Google Cloud, or VMware. Specifies the rate at which to send keep alive packets a er a tunnel has become idle (quiescent mode). The default is seconds. User-assigned name created for segmenting topologies and streamlining the number of tunnels created. When regions contain at least one hub, you can choose to connect regions through hubs only. Specifies the number of ICMP echoes to send without receiving a reply before declaring that the link to the WAN next hop router is down. Serial number of the appliance.
Specifies the current shell access policy for EdgeConnect appliances.
Open Shell Access: Full access granted to the underlying Linux operating system shell.
Secure Shell Access: Access denied to the shell, but Support can grant access. Contact Support for assistance. You cannot change this setting to Open Shell Access.
Disabled Shell Access: Access permanently denied to the shell. You cannot change this setting to Open Shell Access or Secure Shell Access.
This setting is managed on the Advanced Security Settings page (Configuration > Overlays & Security > Security > Advanced Security Settings). Changes to this setting a ect all appliances in your network. Orchestrator will not build tunnels between appliances with the same user-assigned site name. Specifies whether the appliance should perform SSL optimization when the outbound tunnel for SSL packets is not encrypted (for example, a GRE or UDP tunnel). To enable Network Memory for encrypted SSL-based applications, you must provision server certificates in Orchestrator. This activity can apply to the entire distributed network of EdgeConnect appliances or just to a specified group of appliances.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . . Property Key System Bandwidth TCP auto optimization
Tunnel Alarm Aggregation Threshold UDP flow timeout Uptime
January ,
Description
Appliance's total outbound bandwidth, determined by appliance model or license. Enables any TCP flow to automatically identify the outbound tunnel and gain optimization benefits. Enabling this option reduces the number of required static routing rules (route map policies). Specifies the number of alarms to allow before alerting the tunnel alarm. Specifies how long to keep the UDP session open a er tra ic stops flowing. The default is seconds ( minutes). Time elapsed since the appliance became operational and available.
So ware Versions
Administration > So ware > Upgrade > So ware Versions This report lists the so ware versions on each appliance.
Upgrade Appliance So ware
Administration > So ware > Upgrade > Upgrade Appliances You can download and store new appliance so ware from your network or computer to the Orchestrator server, staging it for installation to the appliance(s). Use the Upgrade Appliances dialog box to upload appliance so ware to Orchestrator and to install appliance so ware from the Orchestrator server into the appliance's inactive partition.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· Install and reboot installs the image into the appliance's inactive partition and then reboots the appliance to begin using the new so ware.
· Install and set next boot partition installs the image into the appliance's inactive partition and then points to that partition for the next reboot.
· Install only downloads the image into the inactive partition.
Appliance Configuration Backup
Administration> So ware > Backup & Restore > Backup Now Orchestrator automatically creates a weekly backup of each appliance's configuration to the Orchestrator server. Additionally, you can create an immediate backup on demand. A er selecting the appliance(s) in the appliance tree, navigate to Administration > So ware > Backup & Restore > Backup Now, and then click Backup.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
NOTE: You cannot delete an appliance backup from Orchestrator. Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
View Configuration History
Administration> So ware > Backup & Restore > Configuration History From the Configuration History tab, you can view an appliance's current or previous configuration, as well as compare any two appliance configuration files.
Restore a Backup to an Appliance
Administration> So ware > Backup & Restore > Restore
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
You can restore an appliance configuration backup from Orchestrator to any other EdgeConnect appliances in your network.
CAUTION: Be careful to consider any potential conflicts when the backup specifies a static mgmt IP address, as opposed to specifying DHCP.
Remove Appliance from Orchestrator
Administration > So ware > Remove Appliances > Remove from Orchestrator Removing an appliance with this action returns the appliance to the Discovered Appliances list.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
This action deletes the appliance from the navigation tree. In addition, Orchestrator will break all tunnels, overlays, and so forth to this device.
Remove Appliance from Orchestrator and Account
Administration > So ware > Remove Appliances > Remove from Orchestrator and Account Removing an appliance with this action places the appliance on the Denied Devices list, which is located as a link on the Discovered Devices tab.
This action deletes the appliance from the navigation tree. In addition, Orchestrator breaks all tunnels, overlays, and so forth to this device and tells the Portal to "unlicense" the appliance.
Administration > Tools
The options under Administration > Tools focus on tools that can help optimize your Orchestrator deployment, including how to synchronize appliances or put them in standby mode, perform a link integrity test, broadcast CLI commands, reboot appliances, and more.
Synchronize Appliance Configuration
Administration > Tools > Synchronize Orchestrator keeps its database synchronized with the running configurations for the appliances.
· When you use Orchestrator to make a configuration change to an appliance's running configuration, the appliance responds by sending an event back to the Orchestrator server to log. This keeps Orchestrator and the appliance in sync.
· Whenever an appliance starts or reboots, Orchestrator automatically inventories the appliances to resync.
· Whenever Orchestrator restarts, it automatically resyncs with the appliances.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· When an appliance is in an OutOfSync management state, the Orchestrator server resyncs with it as it comes back online.
If your overall network experiences problems, you can use this dialog box to manually resync and ensure that Orchestrator has an appliance's current running configuration.
Put the Appliance in System Bypass Mode
Administration > Tools > Bypass System Bypass mode is only available for certain models of EdgeConnect physical appliances. Virtual appliances do not support bypass mode. In System Bypass mode, the fail-to-wire (or fail-to-glass) card DOES NOT receive or process packets. Fail-to-wire network interfaces mechanically isolate the appliances from the network in the event of a hardware, so ware, or power failure. This ensures that all tra ic bypasses the failed appliance and maximizes uptime.
· In an in-line deployment (Bridge mode), the LAN interface is physically connected to the WAN interface.
· In Server mode and any Router mode, the appliance is in an open-port state.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
When the appliance is in Bypass mode, a message displays in red text in the upper-right corner of the user interface.
Broadcast CLI Commands
Administration > Tools > Broadcast CLI You can simultaneously apply Command Line Interface (CLI) commands to multiple selected appliances. The dialog box automatically provides you with the highest user privilege level.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
For more information, see the EdgeConnect Command Line Interface (CLI) Reference.
Link Integrity Test
Administration > Tools > Link Integrity Test Used for debugging, the link integrity test enables you to measure the throughput and integrity (amount of loss) of your WAN link. You can run either iperf or tcpperf (Version . . ).
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· These tests run on the two selected appliances using user-specified parameters for bandwidth, duration, DSCP marking, and type of tra ic (tunnelized / pass-through-shaped / pass-throughunshaped).
· Orchestrator runs the selected test twice--once passing tra ic from Appliance A to Appliance B, and a second run passing tra ic from Appliance B to Appliance A.
· Custom Parameters are available for tcpperf and should be used cautiously by advanced users.
TCPPERF V
..
Basic Mode
Option -h -s
-sr -c
-cr -g -sw
Description
help server: Run tcpperf in server mode (not applicable for file generation). Listens on TCP port by default. [server_port [server_port [server_port]..]] server range: <server_port_start:server_port_end> client server_IP: TCPperf Server's IP address (not applicable for file generation). [server_port [server_port [server_port]..]] <server_port_start:server_port_end> <server_port_start:server_port_end> generate basefilename: Dump generated data to a file. sgwrite con ilename
NOTES: . The default server ports are and . . You can specify multiple odd-numbered server ports.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
. The next even-numbered server ports will also be assigned automatically. . These even numbers are reserved for double connection testing (see -I, interface IP). . Generate mode generates a local file per flow with the same content that the client would have
generated with the specified parameters. . SG write mode is like generate mode, except that it writes to an SG device.
General Parameters
Option
-I -o -u -d -w -z -cm -q
Description ip : Forces tcpperf to use IPv addresses only. Default is IPv addresses. interface IP: Specify source interface IP address. Default is any. outname: Output filename. Default is stdout. update <secs>: Frequency of printed updates in seconds. Default is . duration <secs>: Set maximum test duration in seconds. Default is infinite. wait <secs>: Wait until <secs> since before transmitting data. realtime: Elevate to realtime priority. Requires root privilege. cpu mask: Specify CPU a inity. Requires root privilege. quiet <level>: Suppresses detail based on level:
: None. Print results when test is complete.
: Default. Periodic packet/byte statistics.
: Verbose. Adds connection state changes.
: Debug. Prints everything.
TCP Parameters
Option -tw -tm -tn -tq -td -tr -tp
-ta
Description
tcpwindow: TCP window_size. Default is OS default. tcpmss: TCP mss. Default is OS default. tcpnodelay: TCP nodelay option. Default is nagle enabled. tcpquickack: TCP quick ack option. Default is delayed acks. tcpdscp <cp>: Sets IP DSCP to <cp> (decimal). Default is . tcpretries <n>: Sets number of times to retry TCP connections. tcppace <n> <mode>: Pace TCP connection setup rate. Limits number of half-open connections to <n>. Valid <mode> types are:
preestablish: All connections are established before data transmission. Default.
simultaneous: Begin data transmission as soon as connection made. tcpabort: Sends RSTs instead of FINs on close.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Option -tf
Description tcpfindelay <secs>: Time to wait a er all data is sent before sending FIN/RST.
Tra ic Generation Parameters
Option -f -i
-n -b -e
-a
Description
file: Source filename to load. Default is MB of random data. test id <i>: Set test ID. The same test ID produces the same data set. User di erent test IDs to generate unique data for each test run. Default is zero. number <n>: Generate <n> flows. Default is one. begin <byte>: First byte in transmission. Default is zero. end <byte>: End byte in transmission (number of bytes to transmit). Default is file size.
Begin and end bytes can be greater than file size. The content is repeated to create extra bytes. antipat <mode>: Antipattern mode: default is mutate.
none: Repeats same content verbatim on all flows. Repeats content if end byte exceeds content size.
mutate: Ensures all flows and data repeats are unique. Preserves short range patterns within flow. Destroys cross flow similarity. Destroys original byte code distribution.
shu le: Ensures all flows and data repeats are unique. Preserves short range patterns within flow. Preserves cross flow similarity. Preserves original byte code distribution.
fast: Ensures all flows and data repeats are unique. Does not preserve short range patterns. Destroys cross flow similarity. Destroys original byte code distribution. Uses less CPU than mutate or shu le.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Option -l
-r -t -v
Description loopback [mode]: Loopback. Default is unidirectional.
uni: Unidirectional client to server.
rev: Unidirectional server to client.
bidir: Bidirectional, client and server independently send data on the same TCP connection.
bidir : Bidirectional, client and server independently send data on secondary TCP connections.
loop: Bidirectional, server loops data back to client on the same TCP connection.
loop : Bidirectional, server loops data back to client on a secondary TCP connection.
bidir : Bidirectional, transmits one transaction at a time. Client waits for previous transaction to be echoed. Emulates transactional data.
NOTES: Content source for tra ic originating at the server is determined by the server (not client) command line. loop and bidir modes x <n> TCP connections and requires that the server has even-numbered ports available.
rate <bps>: Limits aggregate transmission rate to . Default is no rate limit.
trans <min> [max]: Sets size of each socket transaction. Default is .
If <min> and <max> are specified, client generates transactions with
random sizes between <min> and <max>. This feature is o en used
with -l and -r. Set the minimum transaction size to
to improve
single-flow performance.
verify <mode>: Verify integrity of received data. Default is global.
none: No verification. Fastest/least CPU load.
global: Single global hash per flow. Fast, but cannot isolate an errored block.
literal: Literal comparison of data upon reception. Fast, can isolate errors to the byte level. Requires that server has same content as client. Use random data gen or same -f file at server.
embedded: Embedded hashes every errors to byte block.
bytes. Slower, can isolate
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Option -p -k
-x -y
Description
repeat <n>: Repeat each content byte n times. Default is (no repeats). Works for both random data and file content. corrupt <n> <m> <s> [<%change>[<%insert>[<%delete>]]] : Corrupt to n bytes of data every m bytes using seed s. Delta bytes will require
. *n/m percent overhead. Each corrupt can be a change, insert or delete with the probability of each being specifiable. The default is
. % changes, . % inserts, and / % deletes. excerpts <b> <e> <l> [s]: Send random excerpts of average <l> length bytes from content between <b>egin and <e>nd bytes. The -b and -e options still specify total bytes to send. Uses random seed s. defred <s% > <m%> <l%> <sb> <smin> <smax> <mb> <mmin> <mmax> <lb> <lmin lmax>: Generate content based on defined reduction model.
Content is drawn from three data sets: s, m, and l:
s%: Specifies fraction [ %] of s-type content (short term reducible).
m%: Specifies fraction [ %] of m-type content (medium term reducible).
l%: Specifies fraction [ %] of l-type content (long term reducible).
Short-term content comes from data set of sb Mbytes [ MB] with excerpts uniformly distributed between smin and smax bytes [ K- M].
Medium-term content comes from data set of mb Mbytes [ GB] with excerpts uniformly distributed between lmin and lmax bytes [ K- M].
Long-term content comes from data set of lb Mbytes [ TB] with excerpts uniformly distributed between smin and smax bytes [ K- M].
The -b and -e options still specify total bytes to send. Performance is best if -b is .
Uses random seed s.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Option -ssl [param=value . . . ]
Description Enable SSL on connection with optional parameters. version= | |t |t |t : Set the protocol version. cipher=OPENSSL-CIPHER-DESC: Set the choice of ciphers. ticket=yes|no: Enable/disable session ticket extension. cert=FILENAME: Use this certificate file. key=FILENAME: Use this private keyfile. compression=none|any|deflate|zlib|rle: Set the compression method. sslcert: Print the SSL certificate in PEM format. sslkey: Print the SSL key in PEM format.
Disk Management
Administration > Tools > Disk Management The Disk Management tab lists information about physical and virtual appliance disks.
· The progress bar shows what percentage of the polling is complete. · Physical appliances use RAID (Redundant Array of Independent Disks) arrays with encrypted
disks. · Disk failure results in a critical alarm. · If a row indicates that a disk has failed, click the Edit icon to access the appliance, and then
follow the directions in the local help to replace the failed disk. · You can view the SMART (Self-Monitoring Analysis and Reporting Technology) data from physical
appliance disks only.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
To replace a failed disk: . Log in to your Support portal account, and then click Open a Self Service RMA for disk replacement. . Complete the wizard. Use the serial number of the appliance (not the disk). . A er you receive the new disk, access Appliance Manager by clicking any edit icon that belongs to the appliance in question. . Follow the instructions on that page's online help.
Erase Network Memory
Administration > Tools > Erase Network Memory Erasing network memory removes all stored local instances of data. No reboot is required to complete this task.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Reboot or Shut Down an Appliance
Administration > Tools > Reboot > Appliance Reboot / Shutdown The appliance supports three types of reboot:
· Reboot: Reboots the appliance gracefully. This is your typical "vanilla" restart. Use case: You are changing the deployment mode or other configuration parameters that require a reboot.
· Erase Network Memory and Reboot: Erases the Network Memory cache and reboots the appliance.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Use case: You need to restart the appliance with an empty Network Memory cache. · Shutdown: Shuts down the appliance and turns the power o . To restart, go to the appliance
and physically turn the power on with the Power switch. Use cases:
You are decommissioning the appliance. You need to physically move the appliance to another location. You need to re-cable the appliance for another type of deployment.
B
D
R
A physical appliance enters into one of the following states:
· hardware bypass, if deployed in-line (Bridge mode) · open-port state, if deployed out-of-path (Router mode or Server mode)
Unless a virtual appliance is configured for a high availability deployment, all flows are discontinued during reboot.
Schedule an Appliance Reboot
Administration > Tools > Reboot > Schedule Appliance Reboot You can schedule an appliance for any of three types of reboot:
· Reboot: Reboots the appliance gracefully. This is your typical "vanilla" restart. Use case: You are changing the deployment mode or other configuration parameters that require a reboot.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· Erase Network Memory and Reboot: Erases the Network Memory cache and reboots the appliance. Use case: You need to restart the appliance with an empty Network Memory cache.
· Shutdown: Shuts down the appliance and turns the power o . To restart, go to the appliance and physically turn the power on with the Power switch. Use cases:
You are decommissioning the appliance. You need to physically move the appliance to another location. You need to re-cable the appliance for another type of deployment.
B
D
R
A physical appliance enters into one of the following states:
· hardware bypass, if deployed in-line (Bridge mode) · open-port state, if deployed out-of-path (Router/Server mode)
Unless a virtual appliance is configured for a high availability deployment, all flows are discontinued during reboot.
TIP: To specify the time zone for scheduled jobs and reports, navigate to Orchestrator > So ware & Setup > Setup > Timezone for Scheduled Jobs.
Reachability Status Tab
Administration > Tools > Monitoring > Reachability Status This tab summarizes the status of communications in two directions: Orchestrator to Appliances and Appliances to Orchestrator.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· Admin Username is the username that an Orchestrator server uses to log in to an appliance. · An Orchestrator can use the web protocols, HTTP, HTTPS, or Both to communicate with an
appliance. Although Both exists for legacy reasons, using HTTPS is recommended for maximum security. · An appliance's state can be one of the following:
Normal indicates that all is well. Unknown is a transitional state that appears when first adding an appliance to the network. Unsupported indicates an unsupported version of appliance so ware. Unreachable indicates a problem in your network. Check your ports, firewalls, and deploy-
ment configuration.
Active Sessions Tab
Administration > Tools > Monitoring > Active Sessions This tab lists users who are logged in to Orchestrator and the appliances that Orchestrator is currently managing. To list active user sessions, click Orchestrator.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
To list active appliance sessions, click Appliance.
Orchestrator
The menus under Orchestrator are used to manage Orchestrator itself, and are not related to managing appliances. The menus under this section are organized as follows:
· Orchestrator Server · So ware & Setup · Aruba Central
Orchestrator > Orchestrator Server
The options under Orchestrator > Orchestrator Server focus on settings and configuration changes you can make to Orchestrator server deployments, including managing users, RBAC options, audit logging, tunnel settings, and more.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Role Based Access Control
Orchestrator > Orchestrator Server > Users & Authentication > Role Based Access Control Role Based Access Control (RBAC) provides a more customized Orchestrator experience. On a per-user basis, you can assign roles that specify access levels for a user, control the menu options available in the Orchestrator UI, and grant or deny access to appliance groups.
R
Orchestrator provides a set of default roles. You can create new roles or modify an existing role.
Field
Role Permission Features
Description
Name of the role. Overall access level assigned to the selected role (Read-Only or Read & Write). Orchestrator features available to the selected role.
To add a role: . Click Create Roles. The Roles dialog box opens.
. Click Add to create a new role, or click the Edit icon to the le of any existing role. Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
. Enter or modify the role name. . Select a category you want to assign to your user from the following tabs: Monitoring, Configu-
ration, Administration, Orchestrator, Support, or Miscellaneous. . To assign the overall access level for the role, select Read Only or Read & Write. . Select the check box corresponding to the Orchestrator menu options you want to make available
to the role. NOTE: You can Select All or Unselect All. . Click Save.
A
A
With appliance access groups, you can restrict appliance access to one or more groups or regions. Complete the following steps to customize appliance access.
. On the Role Based Access Control tab, click Create Appliance Access Groups. The Appliance Access Group dialog box opens.
. Click Add to create a new group, or click the Edit icon to the le of any existing group. . Add or modify the name of the appliance access group. . Choose how you want to add appliances: Select By Groups or Select By Region. You can
manually select groups or regions to include, or use the buttons to select or clear all options. . Click Save. WARNING: A non-RBAC user or an RBAC user with appliance access and no assigned role has access to the Appliance Manager, CLI Session, and Broadcast CLI. An RBAC user with any role assigned is denied access to the Appliance Manager, CLI Session, and Broadcast CLI.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
User
Non-RBAC User RBAC User
Appliance Access N/A
Yes
RBAC User No
Roles? N/A
None assigned Any
Menu Options Appliance Manager, CLI Session, Broadcast CLI
Appliance Manager, CLI Session, Broadcast CLI
Appliance Manager, CLI Session, and Broadcast CLI are denied
A
R
A
A
Complete the following steps to assign roles and appliance access.
. On the Role Based Access Control tab, click Assign Roles & Appliance Access Groups. . In the User field, enter the name of an existing Orchestrator user. . In the Appliance field, select the name of an existing Appliance Access Group. . Select the check boxes for one or more roles you want to assign to the user. . Click Save.
The following table defines the roles provided by default in Orchestrator (roles are listed alphabetically).
Role ConfigAdmin Monitor OrchestratorAdmin
SiteAdmin
SiteMonitor SiteOperator
SiteUpgradeAdmin SuperAdmin Support
Description
Backs up and restores appliance configuration and views the configuration history. Provides read-only access to all menu items.
Enables user to perform Orchestrator operations only, such as settings, tools, user management, and Orchestrator upgrades. Appliance operations are not allowed. Enables appliance or site-specific operations, such as configuring appliance-specific policies, ACLs, TCAs, SSL certificates, and upgrades. An appliance cannot be removed from the network or perform global SD-WAN functions such as overlay management or Zscaler orchestration. Grants read-only permissions equivalent to SiteAdmin.
Enables appliance or site-specific operations such as configuring appliance-specific policies, ACLs, TCAs, and SSL certificates. An appliance cannot be upgraded or removed from the network, or perform global SD-WAN functions such as overlay management or Zscaler orchestration. Upgrades appliances and removes them from the network.
Enables full read-write access to all menu items.
Enables access to all support operations.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
View Orchestrator Server Information
Orchestrator > Orchestrator Server > Server Management > Server Information This dialog box provides data specific to this Orchestrator server.
January ,
Restart, Reboot, or Shutdown
Orchestrator > Orchestrator Server > Server Management > Reboot Orchestrator Orchestrator > Orchestrator Server > Server Management > Shutdown Orchestrator Orchestrator provides these two convenient actions in the Orchestrator menu:
· Reboot Orchestrator reboots the Orchestrator server. · Shutdown Orchestrator results in the server being unreachable. To restart, you must manually
power on the server.
Manage Orchestrator Users
Orchestrator > Orchestrator Server > Users & Authentication > User Management Use the User Management dialog box to manage who has Read-Write or Read-Only access to Orchestrator.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
AU
· Users can have either Read-Write or Read-Only privileges. These provide prescribed access to Orchestrator menus. To further limit the what users can see, you can assign them to customized menu groups in Orchestrator > User Menu Access.
· Multi-Factor Authentication (MFA) is a recommended option for each Orchestrator user. NOTE: You cannot modify a Username. You must delete it and create a new user.
M -F
A
Orchestrators support Multi-Factor Authentication (MFA). This is available on all platforms of the Orchestrator, including on-premise and cloud versions.
The first step in authentication is always username/password. For added security, users can choose between application- or email-based authentication, as described below.
NOTE: Only users whose role is assigned Read-Write privilege for User Management can enable or disable MFA for any user.
C
M -F
A
T
A
Orchestrator supports applications that provide time-based keys for two-factor authentication and are compliant with RFC / RFC . Google Authenticator is one such app. The example below uses Google Authenticator on a mobile phone. You can also use a desktop version.
To enable MFA through an application:
. Navigate to Orchestrator > Orchestrator Server > Users & Authentication > User Management, and then click your username.
. In the Two Factor field, select Application. Orchestrator generates a time-limited QR code.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
. In the Google Authenticator app, use the Scan barcode function to read the QR code. You will be prompted to enter your Orchestrator username and password.
Here you can see Google Authenticator with the new admin account added for the Orchestrator, silverpeak-gxv.
C
M -F
A
T
E
To enable MFA through email:
. Navigate to Orchestrator > Orchestrator Server > Users & Authentication > User Management, and then click your username.
. In the Two Factor field, select Email, and then enter your email address.
If an invalid email address is entered, the account could be locked out and would require password reset procedures.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
. Click Add. Orchestrator sends a time-limited authentication code to your email address. To verify your email address, click that link.
Orchestrator then opens a browser window telling you that your email address has been verified.
U M -F
A
A er MFA is configured, every login requires two steps: entering the username/password and entering the current token.
Based on the authentication method you choose, do one of the following:
· Use the current token from the Google Authenticator (or other) app. · Use the code you receive in email.
In both cases, the codes have a specific expiration time.
Modify User
Orchestrator > Orchestrator Server > Users & Authentication > User Management > Edit > Modify User
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
You can modify the following user fields: · User Name is the identifier the user uses to log in. · First Name, Last Name, and Phone Number are optional information. · Email is required if two-factor authentication is enabled. · Two-factor Authentication is a second step in the login process that requires an authentication code. The code can be obtained in two ways: Using an authentication application that generates time-based authentication codes. If this is activated, Orchestrator generates a barcode that can be scanned to set up an authentication app like Google Authenticator for your mobile device. Using your email to receive authentication codes every time you log in. This requires access to your email every time you log in. · Password is used at login. · Status determines whether the user can log in. · Role determines the user's permissions.
API Key
Orchestrator > Orchestrator Server > Users & Authentication > API Keys
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Use this page to allow your applications to utilize REST APIs without session authentication and management. You can specify permissions, status, name, and IP allow list for your API keys.
An API key can be passed either in the HTTP request header field X-Auth-Token or as a query parameter apiKey.
NOTE: It is recommended to use di erent keys for di erent applications and users.
To add and define a new API key, click the Edit icon and configure the fields below.
Field Key Name Key Permission Description
Expiration
Active IP Allow List
Description
Name of the key you are creating. Text you cut, paste, and insert into your client code. Read-Only or Read-Write. Enter details in this field that describe the purpose of the key you are configuring. Set the expiration date if you want a certain application or script to access the key for a fixed amount of time. To display if the key is active or inactive, select Yes or No. Filters tra ic to your private resources through this specified IP range. Tra ic is able to pass through with the IP addresses defined in this field.
Remote Authentication
Orchestrator > Orchestrator Server > Users & Authentication > Authentication
Use the Remote Authentication dialog box to manage di erent remote authentication methods for Orchestrator users.
· To add a new remote authentication method, click +Add New Server. · To view or modify the settings for an existing remote authentication method, click the Edit icon
in the row of the existing method.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Orchestrator supports the following for remote authentication:
· RADIUS · TACACS+ · OAuth · JWT · SAML
C
RADIUS TACACS+ S
You need to configure the following when adding or modifying a RADIUS or TACACS+ server:
Field Read-Write Privilege
Read-Only Privilege
Authentication Type Default Role Primary/Secondary Server
Description
RADIUS only: Lowest value at which a user has Read-Write privileges. This value must be the same as the value configured on the RADIUS server. RADIUS only: Lowest value at which a user has Read-Only privileges. This value must be the same as the value configured on the RADIUS server. Select the authentication type that matches what is configured on the RADIUS or TACACS+ server. If RBAC is enabled, you must specify a default role.
For each server in use, enter the IP address or hostname, port, and secret key of the RADIUS or TACACS+ server.
A
U RADIUS TACACS+
. Select the access control protocol you want to use.
. Under Servers, enter the information for a Primary server of that type. Entering a Secondary server is optional.
Field Authentication Order
Primary/Secondary Server Secret Key Read-Write Privilege
Read-Only Privilege
Authentication Type
Description
Whether to use the remote map or the local map first. The default is Remote first. IP address or hostname of the RADIUS or TACACS+ server.
String defined as the shared secret on the server.
Lowest value at which a user has Read-Write privileges. This value must be the same as the value configured on the RADIUS server. Lowest value at which a user has Read-Only privileges. This value must be the same as the value configured on the RADIUS server. When configuring to use the TACACS+ server, select the type from the drop-down list that matches what is configured on the TACACS+ server.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
C
OA S
Orchestrator supports remote authentication via the OAuth . framework. Before configuring an OAuth server in Orchestrator, you must register Orchestrator as an application with your OAuth provider.
P
· The OAuth server must support OAuth . authorization codes, ID tokens, and (optionally) refresh tokens.
· The ID token is used to get username, RBAC roles, and RBAC appliance access groups. · The refresh token can be checked periodically to ensure that the user is still authorized. · Depending on the OAuth server configuration, refresh tokens can be permanent or they can
expire. If a token is revoked or expires, the user is forced to authenticate again.
R
O
A
Before adding an OAuth server in Orchestrator, register a new app on your OAuth server for Orchestrator. Provide the following details when registering the app:
Needed Information
Application Type Allowed Grant Types Redirect URL
Description
Register Orchestrator as a Web App. Authorization code (required).Refresh token (optional). Orchestrator endpoint to which the user is redirected a er successful authentication, which should be https:///gms/rest/authentication/oauth/redirect.
C
OA S
P
O
When adding a new OAuth server or modifying an existing server, configure the following fields in the Remote Authentication Server dialog box:
Field Name
Client ID Client Secret Scopes
Authentication URL Token URL
Description
Name to identify the server. This name is displayed on a button on the Orchestrator login page as an alternative method of authentication.
Client ID for the Orchestrator application that you created in your OAuth provider.
Client secret for the Orchestrator application that you created in your OAuth provider.
OAuth . uses scope values, as defined in RFC , to specify which access privileges are being requested for in Access Tokens. The default scopes for Orchestrator are openid, o line_access, and email.
The Issuer Identifier URL with the authentication request path appended. For example: https:///oauth /v /authorize.
The Issuer Identifier URL with the token path appended. For example: https:///oauth /v /token.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Username key (Optional) Roles key
(Optional) Appliance Access Group key
Default role
Description
The OAuth attribute to be sent as the username. If the username is an email address, use email. If any other key is used, ensure that it is mapped to the correct scope on the OAuth server. This field can be le with the default value, sp-roles, or you can enter a new key name, but the key name must match what is configured in your OAuth provider.
This is a user claim sent in the ID token that maps to Orchestrator roles defined in Role Based Access Control (RBAC). For example, the OAuth server attribute userType maps to sp-roles, and the OAuth user in Orchestrator has userType = OverlayAdmin.
NOTE: If roles and appliance access group keys are not provided, Orchestrator inspects its own configuration to determine the role and appliance access group for the user. If it does not find that information, the user is not allowed to log in. This field can be le with the default value, sp-aag, or you can enter a new key name, but the key name must match what is configured in your OAuth provider.
This is a user claim sent in the ID token that maps to Orchestrator Appliance Access Groups defined in RBAC. For example, the OAuth server attribute department maps to sp-aag, and the OAuth user in Orchestrator has department = Asia-Admin.
NOTE: If roles and appliance access group keys are not provided, Orchestrator inspects its own configuration to determine the role and appliance access group for the user. If it does not find that information, the user is not allowed to log in. If RBAC is enabled, you must specify a default role.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
C
JWT S
To begin JWT server configuration, the assigned admin must specify the following JWT configuration parameters:
· Issuer "iss" · Auditor "aud" · expiration 'exp · signature · user, role, and AAG
NOTE: See the following descriptions in the table below.
· Redirect URL based on successful authentication: https://<orchestrator_domainName> ?access_token=<token>&id_token=<token>&state=<state>&token_type=Bearer&expires_in=
Review the following diagram for more details about the workflow of JWT authentication.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Then, complete the following steps in Orchestrator: . Navigate to the Authentication tab in Orchestrator. . Click +Add New Server. The Remote Authentication Server window opens. . From the Type drop-down menu, select JWT, and then complete the following fields.
Field
Name Cert/Signing Key JWK URL Validation Window
Issuer Auditor Username Key
Description
Name of your JWT provider. HMAC or RSA public key used to verify the id_token. URL that hosts the public certification. Maximum amount of time (in minutes) that the expiration is found for the id_token before a new id_token is created. Issuer claim found in the id_token. Auditor claim found in the id_token. This attribute is sent as the username. If the username is an email address, use email. If any other key is used, ensure that it is mapped to the correct scope on the OAuth server.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Roles Key
Appliance Access Group Key
Default role JWT token consuming URL
Description
This field can be le with the default value, sp-roles, or you can enter a new key name, but the key name must match what is configured in your JWT provider.
This is a user claim sent in the ID token that maps to Orchestrator roles defined in Role Based Access Control (RBAC). For example, the OAuth server attribute userType maps to sp-roles, and the OAuth user in Orchestrator has userType = OverlayAdmin.
NOTE: If roles and appliance access group keys are not provided, Orchestrator inspects its own configuration to determine the role and appliance access group for the user. If it does not find that information, the user is not allowed to log in. This field can be le with the default value, sp-aag, or you can enter a new key name, but the key name must match what is configured in your JWT provider.
This is a user claim sent in the ID token that maps to Orchestrator Appliance Access Groups defined in RBAC. For example, the JWT server attribute department maps to sp-aag, and the JWT user in Orchestrator has department = Asia-Admin.
NOTE: If roles and appliance access group keys are not provided, Orchestrator inspects its own configuration to determine the role and appliance access group for the user. If it does not find that information, the user is not allowed to log in. If RBAC is enabled, you must specify a default role. URL of Orchestrator that remains the same.
C
SAML S
Orchestrator supports SAML . integration, providing authentication and authorization of your credentials through an IdP (Identity Provider), SP (Service Provider), and a Principal. Refer to the list below for the represented meanings:
· IdP: Okta · SP: Orchestrator · Principal: Principal end user
SAML O
C
Use the following instructions to complete SAML and Orchestrator integration.
TIP: It is recommended to have Orchestrator open next to your Okta window while completing these instructions.
. Sign in to your Okta account. . Select Add Application, and then select SAML . .
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . . . Click Create New App.
January ,
. Sign in to Orchestrator and navigate to the Authentication tab (Orchestrator > Users & Authentication > Authentication).
. Click +Add New Server. . Select SAML from the Type field. . In Orchestrator, click the icon next to the ACS URL and SP SLO Endpoint fields to to copy them. . Navigate back to your SAML application configuration window. . Paste the ACS URL in the Single Sign On URL and Audience URL (SP Entity ID) fields. . Specify the attributes and their corresponding values on the SAML Settings page. These are
configured and assigned on the RBAC tab in Orchestrator.
. sp-name: user.email . sp-role: user.usertype . sp-aag: user.department
. Click Next. . Click Finish. . Click the View Setup Instructions box on the completed SAML Application Settings page and
enter the following URLs in the corresponding Orchestrator fields:
SAML Field
Identity Provider Single Sign-On URL Identity Provider Issuer X. Certificate
Orchestrator Field
SSO Endpoint Issuer URL IdP X. Cert
The following table provides more details about the fields in Orchestrator.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Name Username Attribute Issuer URL SSO Endpoint IdPX. cert ACS URL (Optional) SP SLO Endpoint (Optional) IdP SLO Endpoint (Optional) SP X. Cert SLO (Optional) Roles Attribute
(Optional) Appliance Access Group key
Default role
Description
Any text value for your SAML account for identification purposes. Retrieves the username from the SAML XML response.
Unique identifier of the issuer (for example: Okta, OneLogin). Unique endpoint for the SAML application created on the IdP server. Certificate issued by IdP to verify and validate the response received from the IdP (Okta) server. Orchestrator endpoint needed for configuration on the IdP server. This is provided as a redirect URL a er you are authenticated on the IdP server. Endpoint used by IdP to initiate the logout request from Orchestrator to the IdP server. Endpoint used by IdP to initiate the logout request from Orchestrator to the IdP server. Endpoint used by Orchestrator to initiate the logout request to IdP. Certificate used by IdP to verify the Single Logout request initiated by Orchestrator to logout the IdP. This field can be le with the default value, sp-roles, or you can enter a new key name, but the key name must match what is configured in your SAML provider.
This is a claim sent to Orchestrator that maps to roles defined in Role Based Access Control (RBAC).
NOTE: If roles and appliance access group keys are not provided, Orchestrator inspects its own configuration to determine the role and appliance access group for the user. If it does not find that information, the user is not allowed to log in. This field can be le with the default value, sp-aag, or you can enter a new key name, but the key name must match what is configured in your OAuth provider.
This is a claim sent to Orchestrator that maps to Orchestrator Appliance Access Groups defined in RBAC.
NOTE: If roles and appliance access group keys are not provided, Orchestrator inspects its own configuration to determine the role and appliance access group for the user. If it does not find that information, the user is not allowed to log in. If RBAC is enabled, you must specify a default role.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Cloud Portal
Configuration > Overlays & Security > Licensing > Cloud Portal Orchestrator > Orchestrator Server > Licensing > Cloud Portal The Cloud Portal is used to register cloud-based features and services such as SaaS optimization and EdgeConnect.
· When you purchase one of these services, an Account Name and instructions to obtain your Account Key are sent to you. You will use these to register your appliances.
· The cloud portal populates the Contact field from information included in your purchase order. · Use of these services requires that your appliances can access the cloud portal via the internet.
Audit Logs
Orchestrator > Orchestrator Server > Tools > Audit Logs The Audit Logs tab lists actions from a user or the system itself, initiated by Orchestrator. You can apply the following filters to your audit logs:
· To determine which actions you want to display in the table, select Completed, In Progress, or Queued filters.
· Select the following di erent log levels to apply to your filter: Debug, Info, or Error. · To refresh or pause the table, select either Auto Refresh or Pause. By default, the table refreshes
automatically. · Enter the Record Count to limit the filtering criteria. The default value is , and the maximum
value is , . · Select the name of the Appliance from the lists to apply as a filter.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· You can search a wild card character (*) as a username to display all user logs. If you enter any value in the user field, no filter is applied to the search. The following are true for audit log wild cards:
x*= anything that starts with the entered value
*x= anything that ends with the entered value
Field
User Name IP Address Host Name Action Task Status Results Start Time End Time Queued Time % Completed Completion Status
Description
Filter/search for an audit log by the username of the appliance. IP address of the selected appliance. Host name of the appliance the audit log comes from. What you want the audit log to do. Status of the audit log task. Results of the audit log being searched. Time when the search of the audit log started. Time when the search of the audit log ended. Time when the process/task was requested or scheduled in the queue. Percent completed of the audit log task. Whether the task has been completed.
Orchestration Settings
Orchestrator > Orchestrator Server > Tools > Orchestration Settings The Orchestration Settings menu manages Business Intent Overlays (BIOs) and the properties that control them. It builds new tunnels and fixes existing ones.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Orchestrate appliances by applying and updating overlays
Reset all flows
Autosave appliance changes
Apply templates Idle time
Auto flow re-classify
Description
When selected, updates all associated appliances when overlay changes are saved.
NOTE: Tunnels are rebuilt only if this field is enabled.
When selected, Orchestrator automatically resets all flows whenever you edit overlays or change policies or priorities. When deselected, the flows can only be reset manually.
Selected by default, this automatically saves any changes made to an appliance. If you need a time delay for troubleshooting or testing, deselect this option to suspend automatic saving of configuration changes.
When selected, updates all associated appliances when template changes are saved.
Amount of time Orchestrator sleeps or is idle between checking for any configuration changes. For normal-sized networks, the recommended idle time is seconds. For smaller networks, the recommended idle time is seconds.
Specifies how the Overlay Manager waits before surveying the network when configuration changes are not being made.
IPSec UDP Settings Field Default port
Increment port by
Description
By default, BIOs create IPSec UDP tunnels. The default port is
. If
necessary, you can configure this for an individual appliance on its System
Information page, under System Settings. This is accessible from the
appliance's context-sensitive menu in the Orchestrator navigation pane.
Referenced when configuring an Edge HA (High Availability) pair. When the value is , the second appliance's default port becomes .
Maintenance Mode
Orchestrator > Orchestrator Server > Tools > Maintenance Mode You can set maintenance mode on an appliance in two ways. You can:
· Use the menu available from the appliance tree. This method automatically suppresses alarms and pauses orchestration.
· Use the Orchestrator menu to select appliances and specify settings. This method allows you to specify whether to pause orchestration or suppress alarms.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
SM
MU
MA
A
T
. Right-click on one or more appliances in the appliance tree, and then select Maintenance Mode.
. In the Maintenance Mode dialog box, click OK.
Alarms are automatically suppressed, and orchestration is automatically paused for the selected appliances.
SM
MU
O
M
. Navigate to Orchestrator > Orchestrator Server > Tools > Maintenance Mode. . In the Maintenance Mode dialog box, click Add.
The Configure Maintenance Mode dialog box opens. . In the Appliance field, enter the name of the appliance you want to put into maintenance mode. . To pause orchestration, select Pause Orchestration. . To suppress alarms associated with this appliance while in maintenance mode, select Suppress
Alarms. . Click OK. . Click Save.
The following table describes the fields on the Maintenance Mode dialog box.
Field Host Name Alarms
Orchestration
IP Version
Description
Host name of the appliance you put into maintenance mode. Indicates whether to suppress alarms while the appliance is in maintenance mode. If paused, all orchestration is paused on the selected appliance, except IPSec UDP Tunnel Key material. IP address of the appliance in maintenance mode. Current version of the appliance.
Tunnel Settings Tab
Orchestrator > Orchestrator Server > Tools > Tunnels Settings
Use this tab to manage the properties for tunnels created by Orchestrator. It provides tunnel settings for General, IKE, IPSec for MPLS, Internet, and LTE WAN Interface labels.
G
T
Access the following fields on the General Tab.
General
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Mode Auto max BW enabled Auto discover MTU enabled MTU
UDP destination port UDP flows
Description
Indicates whether the tunnel protocol is IPSec, IPSec UDP, UDP, or GRE. If you select IPSec, you can specify the IKE version on the IKE tab. Allows the appliances to auto-negotiate the maximum tunnel bandwidth. Allows the appliances to auto-negotiate the maximum tunnel bandwidth. Maximum Transmission Unit (MTU) is the largest possible unit of data that can be sent on a given physical medium. For example, the MTU of Ethernet is bytes. MTUs up to bytes are supported.
Auto allows the tunnel MTU to be discovered automatically, and it overrides the MTU setting. Used in UDP mode. Accept the default value unless the port is blocked by a firewall. Used in UDP mode. Indicates the number of flows over which to distribute tunnel data. Accept the default.
Packet Field Reorder wait
FEC FEC ratio
Description
Maximum time the appliance holds an out-of-order packet when attempting to reorder. The packets can come from the same or a di erent path, or from the FEC correction engine. ms is the default value and should be adequate for most situations. If the reorder wait time exceeds ms (or the set value), the packet is delivered out of order. Forward Error Correction (FEC) can be set to enable, disable, or auto.
When FEC is set to auto, this specifies the maximum ratio. The options are : , : , : , or : .
Tunnel Health Field Retry count DSCP
Description
Number of failed keep-alive messages allowed before the appliance brings the tunnel down. Determines the DSCP marking that the keep-alive messages should use.
FastFail Thresholds
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
Field Fastfail enabled
January ,
Description
Fastfail thresholds determine how quickly to disqualify a tunnel from carrying data when multiple tunnels carry data between two appliances.
The Fastfail connectivity detection algorithm for the wait time from receipt of last packet before declaring a __*brownout__* is:
Twait = Base + N * RTTavg
where Base is a value in milliseconds and N is the multiplier of the average Round Trip Time over the past minute.
For example, if:
Base = 200mS N=2
then,
RTTavg = 50mS
The appliance declares a tunnel to be in __*brownout__* if it does not see a reply packet from the remote end within
mS of receiving the most recent packet.
In the Tunnel Advanced Options, Base is expressed as Fastfail wait-time base o set (ms), and N is expressed as Fastfail RTT multiplication factor.
Fastfail enabled - This option is triggered when a tunnel's keep-alive signal does not receive a reply. The options are disable, enable, and continuous. If the disqualified tunnel subsequently receives a keep-alive reply, its recovery is instantaneous.
If set to disable, keep-alives are sent every second, and seconds elapse before failover. In that time, all transmitted data is lost.
If set to enable, keep-alives are sent every second, and a missed reply increases the rate at which keep-alives are sent from one per second to ten per second. Failover occurs a er one second.
When set to continuous, keep-alives are continuously sent at ten per second. Therefore, failover occurs a er one-tenth of a second.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Latency
Loss Jitter Fastfail wait-time base o set Fastfail RTT multiplication factor
Description
Amount of latency measure in MS. Thresholds for Latency, Loss, or Jitter are checked once every second.
Receiving three successive measurements in a row that exceed the threshold puts the tunnel into a brownout situation and flows will attempt to fail over to another tunnel within the next mS.
Receiving three successive measurements in a row that drop below the threshold will drop the tunnel out of brownout. Amount of data lost measured in percent. Amount of jitter measured in MS. Base time used when calculating the fastfail timeout. Multiplier in the formula used to calculate the fastfail timeout.
IKE T
Access the following fields by clicking the IKE tab. This tab is displayed only if the Mode field on the General tab is set to IPSec. IKE
Field Authentication algorithm Encryption algorithm Di ie-Hellman group Rekey interval/lifetime Dead peer detection
Phase mode IKE version
Description
Sets tunnel authentication. Select SHA- , SHA - , SHA - , or SHA - . Specifies the encryption algorithm used for the Phase negotiation. Select AES- , AES- , or auto. Di ie-Hellman group used for IKE SA negotiation. Rekey interval/lifetime of IKE SA. Delay time: Amount of time, in seconds, to wait for tra ic from the destination IKE peer.
Retry count: Number of times to retry the connection before determining that the connection is dead.
NOTE: Dead Peer Detection is supported only on EdgeConnect appliances running VXOA so ware version . . and higher. Defines the exchange mode for Phase . The options are Main or Aggressive. If IKEv is selected, the default mode is aggressive. IKE major version. Select IKEv or IKEv .
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
IPS T
Access the following fields by clicking the IPSec tab. The IPSec tab is displayed only if the Mode field on the General tab is set to IPSec or IPSec UDP. IPSec
Field Authentication algorithm Encryption algorithm IPSec anti-replay window
Relay interval/lifetime Perfect forward secrecy group
Description
Authentication algorithm used by IPSec SA. Select SHA- , SHA - , SHA - , or SHA - . Specifies the encryption algorithm used for the Phase negotiation. Select AES- , AES- , or auto. Select a size from the drop-down list or Disable to disable the IPSec anti-replay window. If a size is selected, protection is provided against an attacker duplicating encrypted packets by assigning a unique sequence number to each encrypted packet. Relay interval/lifetime of IPSec SA.
Specifies the Di ie-Hellman Group exponentiations used for IPSec SA negotiation.
Orchestrator Blueprint Export
Orchestrator > Orchestrator Server > Tools > Orchestrator Blueprint Export Use this dialog box to export the current Orchestrator configuration to a blueprint that you can apply to another Orchestrator instance.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
You can use a blueprint when creating a new Orchestrator or when migrating an existing Orchestrator to on-prem or cloud.
· Blueprints can only be created from Orchestrators that have no appliances associated with them. If the source Orchestrator manages any appliances, blueprint creation fails.
· You can create and store multiple blueprints with the same Orchestrator. · A er creating as many blueprints as you need, you can add appliances to the source Orchestrator. · Blueprints automatically exclude all statistics, large historical data files (including audit logs,
report histories, and so forth), and account information. To export an Orchestrator blueprint:
. In the Orchestrator Blueprint Export dialog box, select the blueprint type: Template or Migration. . Click Export. Export downloads an SQL file to your local desktop. WARNING: This completely replaces the configuration of the existing Orchestrator.
Brand Customization
Orchestrator > Orchestrator Server > Tools > Brand Customization Use this dialog box to customize the branding aspects of the Orchestrator user interface.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Orchestrator > So ware & Setup
The options under Orchestrator > So ware & Setup focus on configuring the so ware elements of Orchestrator, including SMTP settings, creating banners, updating/upgrading Orchestrator, and more.
Upgrade Orchestrator So ware
Orchestrator > So ware & Setup > Upgrade > Upgrade Orchestrator If you are already using Orchestrator . . or later and want to upgrade to a newer version, complete the following procedure. WARNING: An upgrade that fails can put Orchestrator into a corrupt state. Be sure to back up Orchestrator before you start the upgrade process.
. Open an SSH session to the Orchestrator. . Log in as admin or a user with administrative privileges. . Switch to root:su - root . Enter the root password when prompted. If you do not know your root password, contact
Support. . Change to the /home directory:cd /home Depending on your environment, you can upgrade Orchestrator in either of the following ways: · Upgrade via HTTP · Upgrade via SCP
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
U
HTTP
If you have an HTTP URL to the Orchestrator installation file, enter the following in the existing SSH console to run the install script and point it to the hosted installation file:
/home/gms/gms/setup/install_orchestrator.sh<HTTP URL of the Orchestrator Installation File>
NOTE: The upgrade process can take several hours to complete.
U
SCP
If you do not have an HTTP server, copy the installation file to Orchestrator by using SCP, run the install script, and point it to the local installation file:
NOTE: This procedure assumes that the scp programs on both ends are patched for CVE- and/or you trust the remote server from which you will scp the installation file.
. From the Orchestrator SSH console, enter the following as root:mv /bin/scp-local /bin/scp # . From your local PC console, enter the following:scp<Orchestrator Installation file>
admin@<orchestrator_ip_address>:/home/gms
. From the Orchestrator SSH console, enter the following:/home/gms/gms/setup/install_orchestrator
.sh /home/gms/<Orchestrator Installation file>
NOTE: The upgrade process can take several hours to complete.
Check for Orchestrator and Appliance So ware Updates
Orchestrator > So ware & Setup > Upgrade > Check for Updates These pages show what appliance and Orchestrator server so ware is available for download.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
Back Up on Demand
Orchestrator > So ware & Setup > Backup > Backup Now Use this dialog box to back up the Orchestrator database on demand.
January ,
Schedule Orchestrator Backup
Orchestrator > So ware & Setup > Backup > Schedule Backup Use this dialog box to schedule backups of the Orchestrator database and, optionally, schedule backups of the Orchestrator Stats Collector using the same destination and schedule.
Field View Currently Scheduled Jobs
Description Click to open the Scheduled Jobs tab.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Protocol Hostname Username Password Directory Port Max backups to retain Test Schedule
Description Stats Collector
Description
Protocol to apply: FTP, SCP, HTTP, HTTPS, or SFTP. Host name of the backup server. Username that the Orchestrator server uses to log in to the backup server. Password for the username. Directory name of the backup server. Port number of the backup server. Maximum number of backups to retain. To verify that Orchestrator can reach the destination, click Test. To create a schedule, click Add. To modify a schedule, click Edit.
In the Schedule dialog box, select Daily, Weekly, Monthly, or Yearly.
Complete the remaining fields, and then click OK.
TIP: To specify the timezone for scheduled jobs and reports, navigate to Orchestrator > So ware & Setup > Setup > Timezone for Scheduled Jobs. (Optional) Description for the backup schedule. Do one of the following:
Select the Use Orchestrator configuration check box to back up the Orchestrator Stats Collector on the same schedule and to the same destination.
Clear the Use Orchestrator configuration check box to specify a di erent backup destination and set a di erent schedule for the Orchestrator Stats Collector.
CAUTION: If you clear the Use Orchestrator configuration check box and you do not complete the Schedule Stats Collector Backup dialog box, the Stats Collector will not be backed up. For more information, see Schedule Stats Collector Backup.
Schedule Stats Collector Backup
Orchestrator > So ware & Setup > Backup > Schedule Stats Collector Backup Use this dialog box to schedule backups of the Orchestrator Stats Collector.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field View Currently Scheduled Jobs Use Orchestrator backup configuration
Protocol Hostname Username Password Directory Port Max backups to retain Test Schedule
Description
Description
Click to open the Scheduled Jobs tab. Select this check box to back up the Stats Collector using the same destination and schedule set in the Schedule Orchestrator Backup dialog box. For more information, see Schedule Orchestrator Backup. Protocol to apply: FTP, SCP, HTTP, HTTPS, or SFTP. Host name of the backup server. Username that the Orchestrator server uses to log in to the backup server. Password for the username. Directory name of the backup server. Port number of the backup server. Maximum number of backups to retain. To verify that Orchestrator can reach the destination, click Test. To create a schedule, click Add. To modify a schedule, click Edit. In the Schedule dialog box, select Daily, Weekly, Monthly, or Yearly.
Complete the remaining fields, and then click OK.
TIP: To specify the timezone for scheduled jobs and reports, navigate to Orchestrator > So ware & Setup > Setup > Timezone for Scheduled Jobs. (Optional) Description for the backup schedule.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
SMTP Server Settings
Orchestrator > So ware & Setup > Setup > SMTP Server Settings For permanent and private email delivery, change the SMTP (Simple Mail Transfer Protocol) server and settings to your company's SMTP settings.
· If a test email does not arrive within minutes, check your firewall. · A er configuring the SMTP settings, you can specify email recipients for the following:
alarms (Monitoring > Alarms > Alarm Email Recipients) reports (Monitoring > Reporting > Schedule & Run Reports)
Proxy Configuration
Orchestrator > So ware & Setup > Setup > Proxy Configuration If necessary (for example, because of firewall issues), you can configure a proxy for reaching the Cloud Portal.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Orchestrator HTTPS Certificate
Orchestrator > So ware & Setup > Setup > HTTPS Certificate Orchestrator includes a self-signed certificate that secures the communication between the user's browser and Orchestrator. You also have the option to install your own custom certificate, acquired from a CA authority.
To use a custom certificate with Orchestrator: . Consult with your IT security team to generate a certificate signing request (CSR), and submit it to your organization's chosen SSL Certificate Authority (CA). · Examples of Certificate Authorities include GoDaddy, Verisign, Comodo, Symantec, Microso Entrust, and GeoTrust. · For a list of what is supported, refer to EdgeConnect and Orchestrator Security Algorithms.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· All certificate and key files must be in PEM format.
. A er the Certificate Authority provides a CA-verified certificate:
· If your IT security team advises the use of an Intermediate CA, use an Intermediate Certificate File. Otherwise, skip this file.
· Load the Certificate File from the CA. · Upload the Private Key File that was generated as part of the CSR.
. To associate the CA verified certificate for use with Orchestrator, click Upload.
Timezone for Scheduled Jobs
Orchestrator > So ware & Setup > Setup > Timezone for Scheduled Jobs Use this dialog box to set the timezone for scheduled jobs and reports.
Orchestrator Advanced Properties
Orchestrator > So ware & Setup > Setup > Advanced Properties WARNING: Changing the default settings is not recommended without consulting Support.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Change the Orchestrator Log Level
Orchestrator > So ware & Setup > Setup > Change Log Level Use this form to change what level of server-side Orchestrator logs are retained. The default is INFO.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
M
S
L
In decreasing order of severity, the levels are as follows.
Severity Level
__ERR__OR WARNING __INFO__RMATIONAL DEBUG
Description
An error. This is a non-urgent failure. A warning condition. Indicates an error will occur if action is not taken. Informational. Used by Support for debugging. Used by Support for debugging.
· The bolded part of the name is what displays in Orchestrator logs.
· If you select INFO (the default), the log records any event with a severity of INFO, WARNING, and ERROR.
· These are purely related to event logging levels, not alarm severities, even though some naming conventions overlap. Events and alarms have di erent sources. When they clear, alarms list as the ALERT level in the Event Log.
IP Allow List
Orchestrator > So ware & Setup > Setup > IP Allow List IP Allow List is a feature that restricts access to Orchestrator to a specified list of source subnets. If a source IP address changes (for example, with NAT IP), users can get locked out of Orchestrator.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
To view a list of tra ic that has been dropped because of these restrictions, click IP Allow List Drops.
Orchestrator Getting Started Wizard
Orchestrator > So ware & Setup > Setup > Configuration Wizard When you first install Orchestrator and use a web browser to access the IP address you have assigned it, the Orchestrator Getting Started Wizard opens.
The wizard guides you through the basics of configuring the following: Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Setting Orchestrator Name, management IP address, and password License and Registration
Date/Time
Email
Add Appliances
Backup
Description
The default for username and password is admin.
EdgeConnect registration is required for Cloud-based features and products, including CPX and SaaS. The associated Account Name and Account Key enable Orchestrator to discover EdgeConnect appliances via the Cloud Portal, as they are added to your network. Using an NTP server is strongly recommended so that data is synchronized across Orchestrator and the appliances. Change the default settings to your Company's SMTP server, and then test. Separate fields are provided for Global Report recipients and Alarm recipients. (Optional) You can use this to add NX, VX, and VRX appliances that are already up and running in your network. You can also add them later. Specifies the database backup destination, transfer protocol, and backup schedule.
If you do not click Apply a er you complete the last page, the Orchestrator wizard reappears at your next login.
To access the Orchestrator wizard again a er initial configuration, navigate to Orchestrator > So ware & Setup > Setup > Configuration Wizard.
Statistics Retention
Orchestrator > So ware & Setup > Setup > Statistics Retention This tab displays all the statistics Orchestrator collects from appliances. Orchestrator saves the statistics data in a database with the retention policies defined on this tab. To begin, complete the following steps:
. Click the Edit icon in the table next to the statistic you want Orchestrator to collect. . To enable or disable statistics collection, select the Collect this statistic in Orchestrator check
box. . Enter how long you want Orchestrator to retain the statics for Minute Granularity, Hourly
Granularity, and Daily Granularity before it collects data and stores in the partition. TIP: If you click More Options, you can enter values for the Database Duration. . Click Apply.
For more detail, refer to the following table:
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field
Statistic
Enabled Minute Granularity (hours) Hourly Granularity (days) Daily Granularity (months) Estimated Disk Space
Description
The selected statistic of which you want Orchestrator to collect data. If you have enabled or disabled statistics retention. Amount of times in one minute Orchestrator stores data. Amount of times in one hour Orchestrator stores data. Amount of time in one day Orchestrator stores data. Estimated amount of disk space the selected statistic uses. At the bottom of the screen, you can get an estimated disk space required for a number of appliances, overlays, and tunnels.
To display the default settings for appliance properties, click Advanced Properties.
WARNING: Changing the default values of these settings is not recommended without consulting Support.
Stats Collector Configuration
Orchestrator > So ware & Setup > Setup > Stats Collector Configuration
Orchestrator collects statistical data from your appliances to monitor performance, network tra ic, and appliance status. Before Orchestrator release . . , the process of collecting, storing, and retrieving this data impacted performance due to the amount of data stored on and requested from the database.
To improve Orchestrator performance, Orchestrator . . includes a new Stats Collector feature that eliminates the use of Orchestrator resources for monitoring your appliances. This new architecture enables you to scale your network with greater performance.
The new Stats Collector feature collects statistics from appliances and provides the information to Orchestrator. When enabled, the new Stats Collector runs in parallel with the legacy stats collector to collect the necessary historical statistical data. A er collecting that data, you can discontinue legacy stats collection. You will not experience performance improvement until you discontinue legacy stats collection.
P
· Upgrade all appliances to version . . before enabling the new Stats Collector feature. · Create at least one remote stats collector for every appliances. If you have less than
appliances, you can use the predefined local stats collector. Each remote stats collector must meet the following minimum requirements:
CPU: GHz RAM: GB
B
YB
Before you configure the new Stats Collector feature in Orchestrator, you must:
. Create a Remote Stats Collector.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
. Authenticate the Remote Stats Collector. Create and authenticate as many remote stats collectors as needed.
C
R
SC
To create a remote stats collector, use the Command Line Interface (CLI) to run an Orchestrator on a virtual machine (VM) in Stats Collector Mode only, as follows.
. Open an SSH session to the Orchestrator you want to use as a remote stats collector. . Log in as admin or a user with administrative privileges. . Switch to root:su - root . When prompted, enter the root password. If you do not know your root password, contact
Support. . Change to the gms directory:cd gms . Enter orch-setup, and then press Enter. . Enter -m, and then press Enter. . Enter the root password, and then press Enter. . At the prompt, enter s. . To proceed, enter y.
This VM is now a remote stats collector. Note the DNS name. You will need the DNS name when you configure the remote stats collector in Orchestrator.
A
R
SC
A er you create a remote stats collector, authenticate it by copying the Orchestrator public key and pasting it into the same folder on the new remote stats collector, as follows.
. Open an SSH session to the Orchestrator. . Log in as admin or a user with administrative privileges. . Go to:cd /home/gms/sc/publickeys . To list the public key, enter ls, and then press Enter. . Copy the public key. . Open an SSH session to the remote stats collector. . Log in as admin or a user with administrative privileges. . Go to:cd /home/gms/sc/publickeys . Paste the public key, and then press Enter.
C
NS C
F
A er the remote stats collectors are created and authenticated, configure the new Stats Collector feature in Orchestrator. Complete the following tasks:
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
. Back up Orchestrator. For more information about backing up Orchestrator, see Back Up on Demand.
Before you enable the new Stats Collector feature and discontinue legacy stats collection, it is recommended that you back up the Orchestrator database. Discontinuing legacy stats collection is permanent. To return to your previous configuration, you must restore the Orchestrator configuration backup.
. Add Remote Stats Collectors. You need at least one remote stats collector for every appliances. If your network contains less than appliances, you can use the predefined local stats collector.
. Associate Appliances with a Remote Stats Collector or Associate Appliances with the Predefined Local Stats Collector
. When the necessary historical data has been collected, Discontinue Legacy Stats Collection.
AR
SC
You must add at least one remote stats collector for every To add a remote stats collector:
appliances in your network.
. Navigate to So ware & Setup > Setup > Stats Collector Configuration. The Stats Collector Configuration tab opens.
. Click Edit Remote Stats Collectors. The Edit Stats Collectors dialog box opens.
. Click Add Remote Stats Collector. The New Stats Collector dialog box opens.
. Configure the following elements as needed:
Field
Name DNS Name Port Protocol
Description
Name of the remote stats collector. DNS name you noted when you created this remote stats collector. Port number the remote stats collector is running on. HTTPS
. Click Save.
D
R
SC
To delete an existing remote stats collector, click the delete icon (X) in the last column of the entry in the table.
A
A
R
SC
To associate appliances with a remote stats collector:
. Navigate to So ware & Setup > Setup > Stats Collector Configuration. The Stats Collector Configuration tab opens.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
. In the Orchestrator appliance tree, select one or more appliances to associate with a specific remote stats collector. You can associate up to appliances with each remote stats collector.
WARNING: The statistics for an appliance are tied to the remote stats collector it is associated with. If you associate an appliance with a di erent remote stats collector, you lose all statistical data associated with that appliance.
. Select the Add check box next to the remote stats collector you want to associate the selected appliance(s) with.
. Click Apply.
The Apply Changes dialog box opens.
. Click Apply Changes.
A
A
P
L SC
If you are installing Orchestrator version . . or upgrading to version . . or later, Orchestrator provides a default stats collector called local. You cannot edit or delete the local stats collector. You can associate up to appliances with the local stats collector.
NOTE: If you are upgrading to Orchestrator . . , all appliances will be automatically associated with the local stats collector.
NOTE: If you run Orchestrator in Orchestrator Only mode (orch-setup -m o), the local stats collector will be disconnected.
To associate appliances with the local stats collector:
. Navigate to So ware & Setup > Setup > Stats Collector Configuration.
The Stats Collector Configuration tab opens. This tab displays the stats collector configuration for all appliances selected in the appliance tree to the le .
. In the Orchestrator appliance tree, select one or more appliances to associate with the local stats collector.
. Select the Add check box next to the local stats collector.
. Click Apply.
The selected appliances are associated with the local stats collector. The Changes column indicates the stats collectors that were added and removed.
E
NS C
A er you associate appliances with either the local stats collector or new remote stats collectors, you must enable the new Stats Collector feature to begin collecting data.
NOTE: The legacy stats collector continues to collect statistics in parallel with the new Stats Collector feature until you discontinue legacy stats collection. For more information, see Discontinue Legacy Stats Collection.
WARNING: You cannot disable the new Stats Collector a er you enable it. It is recommended that you back up Orchestrator before you enable the new Stats Collector. For more information about backing up Orchestrator, see Back Up on Demand.
To enable the new Stats Collector:
. Navigate to So ware & Setup > Setup > Stats Collector Configuration. The Stats Collector Configuration tab opens.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
. Click Enable New Stats Collection.
The Enable New Stats Collection dialog box opens.
Before you can enable the new Stats Collector feature, you must upgrade all appliances to version . . . The Enable New Stats Collection dialog box lists appliances that must be upgraded to
support the new stats collection.
. Click Enable New Stats Collection Now.
D
L
SC
WARNING: Do not discontinue legacy stats collection until you have collected su icient historical data with the new Stats Collector feature. For example, if you need days of statistical data, enable the new Stats Collector, wait days, and then disable the legacy stats collection.
To discontinue legacy stats collection:
. Navigate to So ware & Setup > Setup > Stats Collector Configuration. The Stats Collector Configuration tab opens.
. Click Discontinue Legacy Stats Collection. The Discontinue Legacy Stats Collection dialog box opens. WARNING: This step permanently disables legacy stats collection and deletes all legacy statistics.
. Click Discontinue Legacy Stats Collection.
Notification Banner
Orchestrator > So ware & Setup > Setup > Notification Banner If you are conducting downtime or for maintenance reasons, you can add a notification in the header of your Orchestrator UI. To add a notification, complete the following steps.
. Navigate to Orchestrator > So ware & Setup > Setup > Notification Banner in Orchestrator. The Notification dialog box opens.
. Enter the message you want to display in the Orchestrator header. . Click Save.
Orchestrator > Aruba Central
The options under Orchestrator > Aruba Central focus on integrating Orchestrator with Aruba Central, including creating an Aruba Central account, mapping EdgeConnect appliances, and integrating with ClearPass Policy Manager.
Aruba Central Site Mapping
Orchestrator > Aruba Central > Aruba Central Site Mapping
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Use this tab to create an Aruba Central account in Orchestrator. A er you create an Aruba Central account, Orchestrator maps EdgeConnect appliances to Aruba Central sites. When mapped, EdgeConnect appliances display in the Network Health tab in Aruba Central and provide real-time site health updates.
NOTE: Single Sign-On (SSO) to Aruba Central from Orchestrator is not supported. If your account is SSO-enabled, or if two-factor user verification is enabled, you will not be able to use the account for Central Site Mapping integration.
P
Before you can integrate Unity EdgeConnect devices with Aruba Central, you must do the following:
. Create an Aruba Central account. For more information on creating an Aruba Central account, see Aruba Central Online Help and search for "Unity EdgeConnect Integration."
. Generate an API token for Orchestrator in Aruba Central. For more information on generating an API token for Orchestrator, see Aruba Central Online Help and search for "Unity EdgeConnect Integration."
. Have existing Aruba Central sites to map EdgeConnect appliances to. If you do not have any existing Aruba Central sites, you can export the location details for EdgeConnect appliances and create Aruba Central sites in bulk from that exported list. For more information on creating Aruba Central sites in bulk, see Create Aruba Central Sites in Bulk.
You need the following details from your Aruba Central account.
Field Customer ID Email Password
Client ID Client Secret API Gateway URL
Steps
Navigate to Account Home, and then click the User icon in the upper-right corner. Navigate to Account Home > API Gateway > System Apps & Tokens. The email is listed in the Name column. Navigate to Account Home > API Gateway > System Apps & Tokens, and then click View Tokens.
NOTE: If the Aruba Central password changes, you must update this password whether authentication is configured as a system user or as a federated user.
NOTE: If you do not remember the password, you must reset it from Aruba Central. For more information on resetting your Aruba Central password, see Aruba Central Online Help. Navigate to Accounts Home > API Gateway > APIs > System Apps & Tokens. Navigate to Accounts Home > API Gateway > APIs > System Apps & Tokens. Navigate to Account Home > API Gateway. The URL is listed in the Documentation column.
NOTE: Copy the URL without the protocol (for example, internal-apigw.central.arubanetworks.com).
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
C
AC
S
B
. In Orchestrator, navigate to Administration > So ware > Upgrade > System Information.
. In the appliance tree, select the appliances you want to create Aruba Central sites for, and then click Export.
Orchestrator creates and downloads a .csv file.
. Open the .csv file, and then delete the three header rows.
TIP: Refer to the sample import file provided by Aruba Central for proper formatting. To view the sample import file, in Aruba Central, navigate to Launch > Network Operations > Organization > Sites > Bulk Upload, and then click Download a sample file on the Bulk Import dialog.
. Save and close the file.
. In Aruba Central, navigate to Launch > Network Operations > Organization > Sites.
. Scroll to the bottom of the page, click Bulk Upload, and then follow the prompts.
C
AC
A
O
To create an Aruba Central account in Orchestrator:
. On the Aruba Central Site Mapping tab, click Aruba Central Account. The Aruba Central Account dialog box opens.
. Configure the following elements as needed:
Field Aruba Central Customer ID Email Password
Client ID Client Secret API Gateway URL
Description
Status of the connection. Customer ID generated from Aruba Central. Email provided by Aruba Central. Aruba Central password.
NOTE: If the Aruba Central password changes, you must update this password whether authentication is configured as a system user or as a federated user.
NOTE: If you do not remember the password you must reset the Aruba Central password from Aruba Central. For more information on resetting your Aruba Central password, see Aruba Central Online Help. Client ID generated from Aruba Central. Client Secret generated from Aruba Central. API Gateway URL without protocol (for example, internal-apigw.central.arubanetworks.com).
. To test the connection, click Test.
. If the connection is successful, click Save.
Orchestrator maps EdgeConnect appliances to Aruba Central sites based on geolocation. (Addresses assigned to EdgeConnect appliances are converted to geolocations.)
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
. If "None" displays in the Aruba Central Site column of an appliance, Orchestrator did not locate an Aruba Central site within range of the appliance (within . degrees of the latitudeDelta and the longitudeDelta combined). Do one of the following:
· Edit the appliance and manually map it to any Aruba Central site. For more information on mapping an EdgeConnect appliance to an Aruba Central site, see Edit EdgeConnect to Aruba Central Site Mapping.
· Add an Aruba Central Site within range of the EdgeConnect appliance, and then check for site list updates. For more information on checking for site list updates, see Check for Site List Updates.
EE C
AC
SM
Orchestrator maps EdgeConnect appliances to Aruba Central sites based on geolocation. Orchestrator maps EdgeConnect appliances to Aruba Central sites that are within . degrees of the latitudeDelta and the longitudeDelta combined.
You can edit an EdgeConnect appliance to map it to a di erent Aruba Central site. You can also edit an EdgeConnect appliance to map it to an Aruba Central site if Orchestrator did not locate an Aruba Central site within range of the EdgeConnect appliance.
To map an EdgeConnect appliance to an Aruba Central site:
. Click the Edit icon next to an EdgeConnect appliance. The Edit EdgeConnect to Aruba Central Site Mapping dialog box opens.
. Configure the following elements as needed:
Field
EdgeConnect Appliance Aruba Central Site Geolocation Suggested Site
Description
Selected EdgeConnect appliance. Available sites to map the EdgeConnect appliance to. Aruba Central site that Orchestrator mapped by geolocation to the EdgeConnect appliance.
NOTE: If you map the EdgeConnect appliance to any other site, the site that Orchestrator suggests based on geolocation will display next to that site in parentheses.
. Click Save. Orchestrator maps the appliance to the Aruba Central site you selected.
C
SLU
To refresh the Aruba Central site list in Orchestrator to check for Aruba Central site list updates, click Check for Site List Updates.
If new Aruba Central sites are detected within range of unmapped EdgeConnect appliances (within . degrees of the latitudeDelta and the longitudeDelta combined), Orchestrator maps the EdgeConnect appliances to the new Aruba Central sites.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
ClearPass Policy Manager
Orchestrator > Aruba Central > ClearPass Policy Manager Orchestrator supports association with ClearPass Policy Manager, which provides role-based and secure network access for devices. This integration provides user and role information for an IP address, which you can view on the Flows and Top Talkers tabs of Orchestrator. The ClearPass Policy Manager tab displays information about users and devices provisioned to access your network via ClearPass. The searchable information on this tab includes details such as username, IP address, and role. You can apply the following filters to your ClearPass logs:
· To determine which actions you want to display in the table, select the All, Active, or Historical filters.
· To refresh or pause the table, select Auto Refresh or Pause. By default, the table refreshes automatically.
· To limit the filtering criteria, enter a value in the Record Count field. The default value is , and the maximum value is , .
· To filter by date and time, enter values in the From and To fields. · To search for a specific username, enter a value in the User field. You can search a wild card
character (*) as a username using the following schema:
x* = anything that starts with the entered value *x = anything that ends with the entered value
· To search for a specific IP address, enter a value in the IP field.
To export a .csv file of your table, click Export.
Field
Start Time End Time CPPM IP Address Username Role Device Type MAC Address Posture Location ID Protocol Details
Definition
Time when the device began its network session. Time when the device ended its network session. ClearPass Policy Manager server used to authenticate. IP address authenticated to the network. Username authenticated to the network. Role assigned to the user that authenticated to the network. Device type used to connect to the network. MAC address of the system connecting to the network. Security health posture of the connected device. Location ID of the user connecting to the network. Type of authentication server used to connect to the network. All user information sent from CPPM but not required by Orchestrator. Values are in JSON format.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
M
C PP M
A
To view and manage ClearPass accounts that are associated with Orchestrator, click Accounts on the ClearPass Policy Manager tab.
NOTE: Before you begin the ClearPass Policy Manager (CPPM) configuration in Orchestrator, you must have a ClearPass account to authenticate and authorize Orchestrator. If you do not have these credentials, contact your system administrator.
VC PP M
A
The ClearPass Policy Manager Accounts dialog box displays the following information about ClearPass accounts that are already associated with Orchestrator:
Field Edit Name Domain/IP Connectivity
Service Status
Pause
Definition
Click the icon to edit your CPPM instance. Name of your CPPM instance. Domain or URL of your CPPM instance. Status of the connection between Orchestrator and your CPPM instance. The status may appear as Connected, Connecting, Auth Failed, and Unreachable. Status of your CPPM instance. A status other than Connected could indicate a problem with your CPPM configuration. To troubleshoot, click the Info icon, and then reset any service that is not currently connected. To pause the connection for your CPPM instance, click this toggle.
A C PP M
S
Follow the steps below to add a new ClearPass Policy Manager account.
. If not already opened, click Accounts to open the ClearPass Policy Manager Accounts dialog box. . Click +Add New Server.
The ClearPass Policy Manager Server Configuration dialog box opens. . Enter the following information:
Field
Name Domain/IP Client ID Secret Key Verify server certificate
Definition
Name of your CPPM instance. Domain or URL of your CPPM instance. Client ID generated from your CPPM account. Secret key generated from your CPPM account. If you are using cloud instances of both CPPM and Orchestrator, or if you are using an on-premise instance of CPPM with a valid certificate, select this check box.If you are using an on-premise instance of Orchestrator or an on-premise instance of CPPM without a valid certificate, clear this check box.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
. Click Save.
Your CPPM instance now appears in the ClearPass Policy Manager Accounts dialog box. The Connectivity and Service Status fields should both appear as Connected.
E C PP M
S
. If not already opened, click Accounts to open the ClearPass Policy Manager Accounts dialog box. . Click the Edit icon next to the instance you want to edit.
The ClearPass Policy Manager Server Configuration dialog box opens. . Edit the information in the dialog box, and then click Save.
P C PP M
I
To pause the integration between CPPM and Orchestrator, click Pause Orchestration from the ClearPass Policy Manager tab.
NOTE: Clicking Pause Orchestration pauses the connection between all instances of CPPM configured in Orchestrator. To pause an individual instance, click Accounts, and then click the toggle under Pause for the instance you want to pause.
Support
The menus under Support provide troubleshooting tools and di erent options for working with Support, including opening a support case. You can use these menus to gather information to help Support troubleshoot issues. These menus are organized as follows:
· Technical Assistance · User Documentation · Reporting
Support > Technical Assistance
The options under Support > Technical Assistance provide resources that can assist you as you work with Support, such as logging into the Support Portal, creating support cases and uploading files, capturing packets from appliances, enabling Support to remotely access your computer, and running an RMA Wizard that automates the process for exchanging or replacing appliances.
Tech Support - Appliances
Support > Technical Assistance > Tech Support - Appliances Use this tab to create a new case, generate a system dump, upload files to an existing case, or download selected files to Orchestrator. By default, the table displays all files available on the selected appliances. Click the appropriate button to filter files by type (Logs, Sys Dump, Snapshot, TCP Dump). The table includes the following details for each file:
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field
Appliance Name File type File Name Last Modified File Size
Description
Name of the appliance on which the file is available. Specific file type (log, sys dump, snapshot, or TCP dump). Name of the file. Date when the file was last modified. Size of the file.
Download to Orchestrator Complete the following steps if you want to download one or more files to Orchestrator.
. Select one or more files in the table (use Ctrl or Shi to select multiple files). . Click the Download to Orchestrator button above the table. . When prompted, click Download to confirm or click Close to cancel.
The Monitor Transfer Progress window appears, showing the status of current and previous downloads. . To stop any downloads that are not yet finished, click Cancel. NOTE: To access any files that have been downloaded, open the Tech Support - Orchestrator tab under the Support menu. A er selecting one or more files, you can create a new case, upload files to an existing case, or download files to your local machine.
Tech Support - Orchestrator
Support > Technical Assistance > Tech Support - Orchestrator
This tab displays a list of Orchestrator log files and system dump files, as well as support files that have been downloaded from appliances. You can use these files to create or update support cases, or you can download files to your local machine from Orchestrator.
By default, the table displays all files available on Orchestrator. Click the appropriate button to filter files by type (logs, system dumps, or appliance files). The table includes the following details for each file:
Field
Source File Type File Name Last Modified File Size
Description
Source of the selected file (Orchestrator or a specific appliance). Specific file type (log, sys dump, snapshot, or TCP dump). Name of the file. Date when the file was last modified. Size of the file.
TA
F
With one or more files selected, you can create a new support case, add files to an existing case, or download files to your local machine.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· Click Create Case to open a new support case. Fill in a few additional details and the selected files will be attached to a new support case.
· Click Upload Selected Files to attach files to an existing support case. You will need to know the case number when using this option.
· Click Download selected Files to download files to your local machine. Confirm the download and select a location where you want to save the files.
Log In to the Support Portal
Support > Technical Assistance > Support Portal Log-in When you have a Silver Peak account and need technical assistance or customer support, select Support > Technical Assistance > Support Portal Log-in. The following page opens in a separate browser tab.
You can also access this page directly by going to Silver Peak's web page and selecting Support > Customer Login from the menu bar.
Monitor Transfer Progress
Support > Technical Assistance > Monitor Transfer Progress This table displays the current status of any files being uploaded to Support.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Packet Capture
Support > Technical Assistance > Packet Capture When requested by Support, use this dialog box to capture packets from one to five appliances, selected in the appliance tree.
Upload Local Files
Support > Technical Assistance > Upload Local Files Use this dialog box to upload files related to your Support case from your computer. Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Create a Support Case
Support > Technical Assistance > Create Case Use this file to create an Support case. You will receive a case number and instructions for what to do next.
Partition Management
Support > Technical Assistance > Partition Management
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Use this tab to regain Orchestrator disk space by selectively eliminating statistics no longer needed.
Remote Log Receivers
Support > Technical Assistance > Remote Log Receiver
This table lists all configured remote log receivers that are sent and managed by Orchestrator. You can choose between sending your data between the following di erent types of receivers: HTTP, HTTPS, KAFKA, SYSLOG, and WEBSOCKET. Each receiver employs a di erent mechanism for supporting asynchronous notifications. A er you determine which remote receiver you want to use to send your data, you can configure specific settings for that receiver.
Complete the following instructions to add a receiver.
. Click Add Receiver.
. Select the type of receiver you want to use from the list.
. Depending on which receiver you choose, a settings pop-up will appear. Enter the appropriate information for each receiver. See the following tables below for each receiver's settings.
. Click Save.
HTTP R
S
Field
Enable Receiver Name Log Type URL
Description
Click this slider to toggle between enabled and disabled state. Name of the receiver the logs are going to. Select the type of log from the list you want to apply. URL served by HTTP/HTTPS log server that Orchestrator will send log data with POST REST calls.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field
User Name Password Repeat Password
Description
User name used in Basic Authentication when making REST calls (Optional). Password used in Basic Authentication when making REST calls. (Optional). Your password repeated.
HTTPS R
S
Field
Enable Receiver Name Log Type URL User Name Password Repeat Password
Description
Click this slider to toggle between enabled and disabled state. Name of the receiver the logs are going to. Select the type of log from the list you want to apply. URL of the HTTPS Receiver. User name used in Basic Authentication when making REST calls (Optional). Password used in Basic Authentication when making REST calls (Optional). Your password repeated.
KAFKA R
S
Field
Enable Receiver Name Log Type Topic Bootstrap Servers
Acks
Retries Batch Size Bu er Size
Linger Time
Description
Click this slider to toggle between enabled and disabled state. Name of the receiver the logs are going to. Select the type of log from the list you want to apply. Topic name on KAFKA Receiver. Domain name served by KAFKA Receiver. For example, "xxx.com: ", " . . . : ". Defines the amount of KAFKA servers that acknowledge a message before considering the message delivered.
acks= : Expect no acknowledge.
acks= : Only leader server must acknowledge.
ack=all: All servers must acknowledge. Amount of times KAFKA will try before returning an error. Multiple messages KAFKA will produce until the batch size is exceeded. Maximum memory size that can be used for bu ering messages. When bu er size is exceeded, a message will be blocked. Amount of time that KAFKA will wait before sending next message batch.
SYSLOG R
S
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Field Enable Receiver
Description Click this slider to toggle between enabled and disabled state.
General Settings
Field
Log Type Protocol Hostname Port Custom Data
Description
Type of log being sent to the SYSLOG receiver. Protocol being used between devices. Hostname of the SYSLOG receiver to identity the device. Port number of the SYSLOG receiver that accepts incoming events. Custom data embedded inside the SYSLOG message.
Facility Settings
Field Audit Log
Description Type of audit log.
Audit Log Severity Settings
Field
Error Info Debug
Description
Severity level of the error; select from the drop-down menu. Severity level of the information; select from the drop-down menu. Severity level of the debug; select from the drop-down menu.
WEBSOCKET R
S
Provides a reliable streaming mechanism for alarms and Orchestrator audit logs across all appliances. It is initiated from the client side and sent to Orchestrator for authentication. When authenticated by Orchestrator, asynchronous notifications are sent in JSON objects.
Field
Enable Name Log Type IP Allow List
Description
Click this slider to toggle between enabled and disabled state. Name of the WebSocket receiver. Type of log being sent to the WebSocket receiver. List of source IP addresses that are allowed WebSocket access to Orchestrator.
WS
R
C
You need the following items to establish connectivity from Orchestrator to the WebSocket receiver:
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· Key generated by Orchestrator a er the above configuration is completed · ID created by Orchestrator when it is configuring the WebSocket server
Routing Peers Table
Support > Technical Assistance > Routing Peers Table The Routing Peer Table page can be used to track the communication between multiple peers within a network and for troubleshooting purposes. This page also reflects the details of the subnet information being shared between each set of peers. The following table describes the values for the Routing Peers table.
Field
Appliance Name Peer ID Peer Name Role
Last Transmission Count Time since Last Transmission
Last Received Count Time since Last Received MainVer and Region Message
Description
Name of the appliance. ID of the peer. Name of the peer. Whether the hub or spoke topology is being used for the specified peer. Last transaction count the peer was sent. How many seconds have elapsed since the last subnet update was sent to the peer. Last transaction count from the peer that was received. Amount of time since the last received update. Main version and the region of the designated peer. Peer information to assist Support in troubleshooting.
RMA Wizard
Support > Technical Assistance > RMA The RMA (Return Merchandise Authorization) Wizard automates the RMA process for an exchange or replacement of your appliance, if needed. It includes appliance discovery, the version of the appliance, and a backup selection. Use this screen as instructed by Support to prepare an RMA.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Note the following before you begin the RMA process.
· Upgrade or downgrade the new appliance to the same so ware version before shipping to the site. This will save time.
· Perform a backup of the Orchestrator and EdgeConnect appliances. · Install the new EdgeConnect appliance onsite. · When Orchestrator discovers the new device, do not approve it. Start the RMA process to move
the license to the new EdgeConnect appliance.
R
RMA W
Complete the following steps to RMA your appliance.
. Navigate to the RMA tab in Orchestrator. . Select the appliance you want to replace from the menu.
NOTE: The IP address, appliance model, hostname, serial number and so ware version will auto-populate a er you select the appliance. . Select the newly discovered appliance that will replace the current appliance. NOTE: The IP address, appliance model, hostname, serial number and so ware version will auto-populate a er you select the appliance. . Click Next >. . If you are adding a backup appliance, proceed to the next section. Otherwise, click Apply. The Applying Configuration dialog box opens and displays the status of the upgrade and restore.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
AB
A
If you choose to add a backup appliance from the table, complete the following steps.
. Select the backup appliance from the table. . Select the version you want the backup appliance to have from the drop down menu.
NOTE: If your selection results in a so ware downgrade, a backup must be provided.
U
D
If the so ware version you selected for your backup appliance is higher than that of the discovered appliance, you will need to do the following:
· Upgrade to the new version using Orchestrator. · Back up the appliance from a restore, if applicable.
If the so ware version you selected for your backup appliance is lower than that of the discovered appliance, you will need to do the following:
· Install the desired version as a next boot on the appliance. · Restore from backup.
Support > User Documentation
The options under Support > User Documentation provide resources and documentation that support your use of Orchestrator.
Alarm Descriptions
Support > User Documentation > Alarm Descriptions
Orchestrator enables you to export to a CSV file a full list of alarms you could potentially receive. To automatically export the CSV file, navigate to Support > User Documentation > Alarm Descriptions.
The CSV file includes the following information:
· Type ID: Unique ID assigned to the alarm.
· Severity: Severity level of the alarm, as follows:
Critical: Critical alarms are service-a ecting and require immediate attention. They reflect conditions that adversely a ect an appliance or indicate the loss of a broad category of service.
Major: While service-a ecting, major alarms are less severe than critical alarms. They reflect conditions that should be addressed in the next hours. An example would be an alarm caused by an unexpected tra ic class error.
Minor: Minor alarms are not service-a ecting and can be addressed at any time. Examples include alarms caused by a user who has not changed their account's default password, a degraded disk, or a so ware version mismatch.
Warning: Warning alarms are not service-a ecting. They warn of conditions that could become problems over time--for example, an alarm caused by IP SLA being down.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
· Description: Brief description of the alarm. · Recommended Action: Recommended actions to take to resolve the alarm. · Service A ecting: Indicates whether the alarm is service a ecting. · Source: Indicates where the alarm originated. · System Type: Identifies the type of system the alarm originated from, as follows:
: EdgeConnect appliance : Orchestrator : Orchestrator-SP or Orchestrator Global Enterprise
· Source Type: Identifies the alarm category, as follows:
: Tunnel (applicable to both Orchestrator and appliance alarms) : Tra ic Class (applicable to appliance alarms only) : Equipment : So ware : Threshold Crossing (applicable to appliance alarms only)
· Alarm Type: Indicates an index into the specific alarm category. For example, within the Tunnel alarm category, there is an alarm type associated with index (INTERFACES_WITH_DUPLICATE_IP_EXIST), another with index (INTERFACES_WITH_NO_PUBLIC_IP_EXIST), and so forth. Each alarm type within an alarm category has a unique ID.
· Clearable: Indicates whether you can clear the alarm.
Built-in Policies
Support > User Documentation > Built-in Policies This table displays read-only built-in policies, which are executed before any other policies.
Support > Reporting
The options under Support > Reporting focus on reports that can assist you with troubleshooting.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Realtime Charts
Support > Reporting > Realtime Charts As an aid to troubleshooting, Realtime Charts are useful for monitoring the performance of individual appliances. You can save sets of charts as dashboards.
. Select the filters you want, and then click Plot. The chart appears at the bottom of the page.
. To save as a dashboard, click Save As, and then enter a name for your dashboard. Do not include spaces in your name. Click Save. If successful, a green Success bar appears and the dashboard name shows up in the Dashboard field. To retrieve it later, go to this tab and choose the dashboard from the drop-down list.
Historical Charts
Support > Reporting > Historical Charts As an aid to troubleshooting, Historical Charts are useful for reviewing the performance of individual appliances. You can save sets of charts as dashboards.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Appliance Charts
Support > Reporting > Appliance Charts Use this dialog box to access an individual appliance's realtime and historical charts.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Internal Drop Trends
Support > Reporting > Dropped Packet Trends The Internal Drop Trends report shows internal packet drop trends for a single selected appliance. The charts that are displayed will vary according to the cause of the drop. Charts are available in real time or for a specific time period. Real time charts show drops over the last five minutes and refresh every five seconds.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
You can customize the chart settings using the controls at the top of the tab, as follows:
Option Time period
Show in UTC Large
Description
Click Real Time to enable live statistics for all available interfaces.
Click a predefined time period ( h, h, d, d) to display statistics over the last hour, four hours, day, or seven days.
Click Custom and set your own custom time range to display statistics for that time period. Click this option to toggle chart times between local appliance time or UTC. Click this option to toggle the size of the charts between smaller (default) and large.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
Option Lock Scale
Refresh Granularity
January ,
Description
By default, each chart uses its own scale that is relative to the data displayed. Click this option to apply and lock the same scale to each chart. Click the Refresh button to fetch data again for the selected time period. When a custom time period is used, select the granularity level to be applied to charts (Minute, Hour, or Day).
Appliance Memory Trends
Support > Reporting > Appliance Memory Trends The System view shows appliance daily memory usage.
The Process view is for individual appliances. Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
System Performance
Support > Reporting > System Performance This tab shows Orchestrator metrics. Orchestrators located in the cloud cannot display useful information about host memory, file descriptors, sockets, or pipes.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Appliance CPU Usage
Support > Reporting > Appliance CPU Usage The charts on this page provide real-time views of combined and individual CPU usage statistics for a single selected appliance. Charts show the past five minutes of usage and refresh every five seconds. By default, only total utilization is displayed on the charts. You can toggle the available statistics on or o by clicking the sample indicator line next to each statistic name. NOTE: On appliances with Boost enabled, it is common for non-CPU cores to run at or close to %. CPU will show occasional spikes of high usage when statistics are rolled up and archived.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Appliance Crash Report
Support > Reporting > Appliance Crash Report This report, which you can forward to Support, lists appliance crashes.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Orchestrator Debug
Support > Reporting > Orchestrator Debug This screen contains the various debugging tools available to Support for troubleshooting and debugging issues with Orchestrator.
IPSec UDP Status
Support > Reporting > IPSec UDP Status
Use this tab to review and monitor the IPSec UDP key material status for all appliances in your network.
Field
Host Name Active Key Active Key Pushed Time Active Key Activation Time Reachability Detail
Description
Host name of the appliance. Indicates whether the appliance is using the active IPSec UDP key. Time when the active key was pushed to the appliance. Time when the key was activated on the appliance. Indicates whether the appliance is reachable. Additional details about reachability or key material status.
Aruba EdgeConnect SD-WAN Edge Platform
Using Aruba Orchestrator - . .
January ,
Unverified Emails
Support > Reporting > Unverified Emails When you add an email address to either the Alarms or the Reports email distribution list, Orchestrator sends the recipient an email that contains a link, asking them to click to provide verification. If Orchestrator does not receive a verification, either the recipient has not responded or the email address is invalid.
· An unverified email address remains inactive and does not generate an alarm. · You can retest an address with Resend. · You can only correct an email address in the Alarm or Reports email distribution list.
Aruba EdgeConnect SD-WAN Edge Platform
pdfTeX-1.40.20 LaTeX via pandoc with the Eisvogel template