Search SD-WAN Orchestrator Docs

Using SD-WAN Orchestrator / Configuration > Overlays & Security / Deployment Profiles
Home
Compliance
Deployment Profiles
Deployment Guides
Configuration > Overlays & Security > Deployment Profiles
Integration Guides Instead of configuring each appliance separately, you can create various Deployment Profiles and
Using SD-WAN Orchestrator provision a device by applying the profile you want. For example, you can create a standard format for
your branch.
What's New
Getting Started TIP: For a smoother workflow, complete the DHCP Server Defaults tab (Configuration >
Light or Dark Theme Networking > DHCP Server Defaults) before creating Deployment Profiles.
Menu Options
You can use Deployment Profiles to simplify provisioning, regardless of whether you choose to create
Monitoring and use Business Intent Overlays.
Monitoring > Summary
Monitoring > Performance NOTE: You cannot edit IP/Mask fields because they are appliance-specific.
Monitoring > Reporting
Monitoring > Bandwidth Map Labels to Interfaces
Monitoring > Tunnel Health • On the LAN side, labels are optional. They can be used as match criteria for Business Intent
Configuration Overlay ACLs, such as data, VoIP, or replication.
Configuration > Overlays &
Security • On the WAN side, labels identify the link type, such as MPLS or Internet. These labels are
Business Intent Overlays
mandatory. They are used by Orchestrator to build Business Intent Overlay policies.
• To create or manage a global pool of labels, either:
• Navigate to Configuration > Overlays & Security > Deployment Profiles, click the Edit icon
next to Label, and make the appropriate changes, or
• Navigate to Configuration > Overlays & Security > Interface Labels) and make the
appropriate changes.
• The change you make to a label propagates automatically. For example, it renames tunnels that
use that labeled interface.

LAN-side Configuration: Segments and Firewall Zones

EdgeConnect Segmentation (VRF) provides orchestrated layer-3 segmentation, Zone Based Firewall,
and IDS—end-to-end across the SD-WAN fabric. Segment and zone policies are global in scope. They
are managed on the Configuration > Networking > Routing > Routing Segmentation (VRF) tab.
Segments and zones are then assigned to LAN-side interfaces for each appliance by using the
Deployment dialog box. By default, the Segment and FW Zone fields on LAN interfaces are set to the
system-generated Default segment. You can select a different segment and firewall zone from the
drop-down lists. These lists reflect the segments and zones that are set up on the Routing
Segmentation (VRF) tab.
NOTE: The segment for WAN interfaces cannot be changed.

LAN–side Configuration: DHCP

• By default, each LAN IP acts as a DHCP Server when the appliance is in (the default) Router
mode.
• The global defaults are set in Configuration > Networking > DHCP Server Defaults and pre-
populate this page. The other choices are No DHCP and having the appliance act as a
DHCP/BOOTP Relay.
• Enter the LAN interface from the drop-down. Click +IP to add a specific IP address.
• Enter the IP address of the specific LAN interface above the NO DHCP link.
• To customize an individual interface on the Deployment Profiles tab, click the DHCP-related link
under the IP/Mask field. The DHCP Settings dialog box opens.
The following tables describe the various DHCP settings you can configure.
DHCP Server
Field Description
Subnet Mask Mask that specifies the default number of IP addresses reserved for any
subnet. For example, entering 24 reserves 256 IP addresses.
Exclude first N Specifies how many IP addresses are not available at the beginning of the
addresses subnetʼs range.
Exclude last N Specifies how many IP addresses are not available at the end of the subnetʼs
addresses range.
Default lease, Specify, in hours, how long an interface can keep a DHCP–assigned IP
Maximum lease address.
Default gateway Indicates whether the default gateway is being used.
DNS server(s) Specifies the associated Domain Name System servers.
NTP server(s) Specifies the associated Network Time Protocol servers.
NetBIOS name Used for Windows (SMB) type sharing and messaging. It resolves the names
server(s) when you are mapping a drive or connecting to a printer.
NetBIOS node type of a networked computer relates to how it resolves
NetBIOS names to IP addresses. There are four node types:
B-node – 0x01 Broadcast
NetBIOS node type P-node – 0x02 Peer (WINS only)
M-node – 0x04 Mixed (broadcast, then WINS)
H-node – 0x08 Hybrid (WINS, then broadcast)
DHCP failover Enables DHCP failover. To set it up, click the Failover Settings link.

DHCP/BOOTP Relay
Field Description
Destination IP address of the DHCP server assigning the IP addresses. This setting applies
DHCP/BOOTP Server to the local interface only.
When selected, inserts additional information into the packet header to identify
the clientʼs point of attachment. This setting applies to all LAN-side interfaces
Enable Option 82 on this appliance.
IMPORTANT: Changing this setting will modify Option 82 settings on all LAN-
side interfaces that are enabled as DHCP Relay.
Tells the relay what to do with the hex string it receives. The choices are
append, replace, forward, and discard. This setting applies to all LAN-side
Option 82 Policy interfaces on this appliance.
IMPORTANT: Changing this setting will modify Option 82 settings on all LAN-
side interfaces that are enabled as DHCP Relay.

WAN–side Configuration
Select the WAN-side label you want to apply to this deployment. Click the edit icon to add a new
interface or delete a previously configured interface.
Firewall Zone: Zone-based firewall policies are configured globally on the Orchestrator. A zone is
applied to an Interface. By default, traffic is allowed between interfaces labeled with the same zone.
Any traffic between interfaces with different zones is dropped. You can create exception rules
(Security Policies) to allow traffic between interfaces with different zones. The firewall zones you
have already configured will be in the list under FW Zone. Select the Firewall Zone you want to apply
to the WAN you are deploying.
Firewall Mode: Four options are available at each WAN interface:
• Allow All permits unrestricted communication. Use this option with extreme caution and only if
the interface is behind a WAN edge firewall.
• Stateful only allows communication from the LAN-side to the WAN-side.
Use this if the interface is behind a WAN edge router.
• Stateful with SNAT applies Source NAT to outgoing traffic.
Use this if the interface is directly connected to the Internet and you want to enable local internet
breakout.
• Harden
• For traffic inbound from the WAN, the appliance accepts only IPSec tunnel packets that
terminate on an EdgeConnect appliance.
• For traffic outbound to the WAN, the appliance only allows IPSec tunnel packets and
management traffic that terminate on an EdgeConnect appliance.
NAT Settings: To change the NAT setting, click the NAT-related link under the Next Hop field on the
WAN side. The NAT Settings dialog box opens.
Select one of the following options:
• If the appliance is behind a NAT-ed interface, select NAT.
• If the appliance is not behind a NAT-ed interface, select Not behind NAT.
• Enter an IP address to assign a destination IP for tunnels being built from the network to this WAN
interface.
Shaping: You can limit bandwidth selectively on each WAN interface.
• Total Outbound bandwidth is licensed by model. It is the same as max system bandwidth.
• To enter values for shaping inbound traffic (recommended), you must first select Shape Inbound
Traffic.
EdgeConnect Licensing: Only visible on EdgeConnect appliances.
• For additional bandwidth, you can purchase Plus, and then select it here for this profile.
• If you have purchased a pool of Boost for your network, you can allocate a portion of it in a
Deployment Profile. You can also direct allocations to specific types of traffic in the Business
Intent Overlays.
• To view how you have distributed Plus and Boost, navigate to the Configuration > Overlays &
Security > Licensing > Licenses tab.
• Select the appropriate licensing you have applied to your EdgeConnect appliance from the menu.
The licenses will only display depending on the licenses you have for that particular account. You
can select the following licensing options:
• Mini
• Base
• Base + Plus
• 50 Mbps
• 200 Mbps
• 500 Mbps
• 1 Gbps
• 2 Gbps
• Unlimited
NOTE: You must have the correct hardware to support the license selected.
BONDING
• EdgeConnect supports etherchannel bonding of multiple physical interfaces of the same media
type into a single virtual interface. For example, wan0 plus wan1 bond to form bwan0. This
increases throughput on a very high-end appliance and/or provides interface-level redundancy.
• For bonding on a virtual appliance, you would need to configure the host instead of the appliance.
For example, on a VMware ESXi host, you would configure NIC teaming to get the equivalent of
etherchannel bonding.
• Whether you use a physical or a virtual appliance, etherchannel must also be configured on the
directly connected switch/router. Refer to Aruba SD-WAN user documentation.

A More Comprehensive Guide to Basic Deployments

This section discusses the basics of three deployment modes: Bridge, Router, and Server modes.
It describes common scenarios, considerations when selecting a deployment, redirection concerns,
and some adaptations.
For detailed deployment examples, refer to the Aruba EdgeConnect SD-WAN Edge Platform
documentation site for various deployment guides.
In Bridge Mode and in Router Mode, you can provide security on any WAN-side interface by
hardening the interface. This means:
• For traffic inbound from the WAN, the appliance accepts only IPSec tunnel packets.
• For traffic outbound to the WAN, the appliance only allows IPSec tunnel packets and management
traffic.

Bridge Mode
Single WAN-side Router
In this deployment, the appliance is in-line between a single WAN router and a single LAN-side
switch.

Dual WAN-side Routers

This is the most common 4-port bridge configuration.

• 2 WAN egress routers / 1 or 2 subnets / 1 appliance

• 2 separate service providers or WAN services (MPLS, IPSec VPN, MetroEthernet, and so forth)
Considerations for Bridge Mode Deployments
• Do you have a physical appliance or a virtual appliance?
• A virtual appliance has no fail-to-wire, so you will need a redundant network path to maintain
connectivity if the appliance fails.
• If your LAN destination is behind a router or L3 switch, you need to add a LAN-side route (a LAN
next hop).
• If the appliance is on a VLAN trunk, you need to configure VLANs on the EdgeConnect appliance
so that the appliance can tag traffic with the appropriate VLAN tag.

Router Mode
There are four options to consider:
1 Single LAN interface & single WAN interface
2 Dual LAN interfaces & dual WAN interfaces
3 Single WAN interface sharing LAN and WAN traffic
4 Dual WAN interfaces sharing LAN and WAN traffic
For best performance, visibility, and control, Options #1 and #2 are recommended because
they use separate LAN and WAN interfaces. And when using NAT, use Options #1 or #2 to ensure
that addressing works properly.
#1 - Single LAN Interface & Single WAN Interface

For this deployment, you have two options:

1 You can put EdgeConnect in-path. In this case, if there is a failure, you need other redundant
paths for high availability.
2 You can put EdgeConnect out-of-path. You can redirect LAN-side traffic and WAN-side traffic
from a router or L3 switch to the corresponding interface using WCCP or PBR (Policy-Based
Routing).
To use this deployment with a single router that has only one interface, you could use multiple VLANs.
#2 - Dual LAN Interfaces & Dual WAN Interfaces

This deployment redirects traffic from two LAN interfaces to two WAN interfaces on a single
EdgeConnect appliance.
• 2 WAN next-hops / 2 subnets / 1 appliance
• 2 separate service providers or WAN services (MPLS, IPSec VPN, MetroEthernet, and so forth)
Out-of-path dual LAN and dual WAN interfaces

For this deployment, you have two options:

1 You can put EdgeConnect in-path. In this case, if there is a failure, you need other redundant
paths for high availability.
2 You can put EdgeConnect out-of-path. You can redirect LAN-side traffic and WAN-side traffic
from a router or L3 switch to the corresponding interface using WCCP or PBR (Policy-Based
Routing).
#3 - Single WAN Interface Sharing LAN and WAN traffic

This deployment redirects traffic from a single router (or L3 switch) to a single subnet on the
EdgeConnect appliance.
• This mode only supports out-of-path.
• When using two EdgeConnects at the same site, this is also the most common deployment for
high availability (redundancy) and load balancing.
• For better performance, control, and visibility, Router mode Option #1 is recommended instead of
this option.
#4 - Dual WAN Interfaces Sharing LAN and WAN traffic

This deployment redirects traffic from two routers to two interfaces on a single EdgeConnect
appliance.
This is also known as Dual-Homed Router Mode.
• 2 WAN next-hops / 2 subnets / 1 appliance.
• 2 separate service providers or WAN services (MPLS, IPSec VPN, MetroEthernet, and so forth).
• This mode only supports out-of-path.
• For better performance, control, and visibility, Router mode Option #2 is recommended instead of
this option.
Considerations for Router Mode Deployments
• Do you want your traffic to be in-path or out-of-path? This mode supports both deployments. In-
path deployment offers much simpler configuration.
• Does your router support VRRP, WCCP, or PBR? If so, you might want to consider out-of-path
Router mode deployment. You can set up more complex configurations, which offer load
balancing and high availability.
• Are you planning to use host routes on the server/end station?
• In the rare case when you need to send inbound WAN traffic to a router other than the WAN next
hop router, use LAN-side routes.
Examine the Need for Traffic Redirection
Whenever you place an appliance out-of-path, you must redirect traffic from the client to the
appliance.
There are three methods for redirecting outbound packets from the client to the appliance
(known as LAN-side redirection, or outbound redirection):
• PBR (Policy-Based Routing) – Configured on the router. No other special configuration required
on the appliance. This is also known as FBR (Filter-Based Forwarding).
If you want to deploy two EdgeConnects at the site for redundancy or load balancing, you also
need to use VRRP (Virtual Router Redundancy Protocol).
• WCCP (Web Cache Communication Protocol) – Configured on both the router and the
EdgeConnect appliance. You can also use WCCP for redundancy and load balancing.
• Host routing – The server/end station has a default or subnet-based static route that points to
the EdgeConnect appliance as its next hop. Host routing is the preferred method when a virtual
appliance is using a single interface, mgmt0, for datapath traffic (also known as Server Mode).
To ensure end-to-end connectivity in case of appliance failure, consider using VRRP between the
appliance and a router, or the appliance and another redundant EdgeConnect.
How you plan to optimize traffic also affects whether you also need inbound redirection from the
WAN router (known as WAN-side redirection):
• If you use subnet sharing (which relies on advertising local subnets between EdgeConnect
appliances) or route policies (which specify destination IP addresses), you only need LAN-side
redirection.
• If, instead, you rely on TCP-based or IP-based auto-optimization (which relies on initial
handshaking outside a tunnel), you must also set up inbound and outbound redirection on the
WAN router.
• For TCP flows to be optimized, both directions must travel through the same client and server
appliances. If the TCP flows are asymmetric, you need to configure flow redirection among local
appliances.
A tunnel must exist before auto-optimization can proceed. There are three options for tunnel creation:
• If you enable auto-tunnel, the initial TCP-based or IP-based handshaking creates the tunnel.
This means that the appropriate LAN-side and WAN-side redirection must be in place.
• You can allow the Initial Configuration Wizard to create the tunnel to the remote appliance.
• You can create a tunnel manually on the Configuration > Networking > Tunnels > Tunnels page.

Server Mode
This mode uses the mgmt0 interface for management and datapath traffic.

ADD DATA INTERFACES

• You can create additional data-plane Layer 3 interfaces to use as tunnel endpoints.
• To add a new logical interface, click +IP.

Back to top
© Copyright 2024 Hewlett Packard Enterprise Development LP.
To view the end-user software agreement, go to HPE Aruba Networking EULA.
Open Source Code:
This product includes code licensed under certain open source licenses which require source compliance. The corresponding
source for these components is available upon request. This offer is valid to anyone in receipt of this information and shall expire
three years following the date of the final distribution of this product version by Hewlett Packard Enterprise Company. To obtain
such source code, please check if the code is available in the HPE Software Center at https://myenterpriselicense.hpe.com/cwp-
ui/software but, if not, send a written request for specific software version and product for which you want the open source code.
Along with the request, please send a check or money order in the amount of US $10.00 to:
Hewlett Packard Enterprise Company
Attn: General Counsel
WW Corporate Headquarters
1701 E Mossy Oaks Rd Spring, TX 77389
United States of America
Cookie Preferences