DST 9.4 Lab Guide v1.3

INSTRUCTOR VERSION
Deploying SD-WAN Technologies 9.4

(DST 9.4)
Lab Guide
Version 1.2 – June 2024
DST 9.4. Lab Guide v1.2 – May 2024 page 1 of 144

INSTRUCTOR VERSION
Deploying SD-WAN Technologies (DST) Lab Guide

Based on Orchestrator 9.4.2 and ECOS 9.4.2.0
Date: June 2024

© Copyright 2024 Hewlett Packard Enterprise Development LP. The information contained
herein is subject to change without notice.
Warranties and Disclaimers

The only warranties for Hewlett Packard Enterprise products and services are set forth in the
express warranty statements accompanying such products and services. Nothing herein
should be construed as constituting an additional warranty. Valid license from Hewlett
Packard Enterprise required for possession, use, or copying of confidential computer
software. Consistent with FAR 12.211 and 12.212, Commercial Computer Software,
Computer Software Documentation, and Technical Data for Commercial Items are licensed to
the U.S. Government under vendor's standard commercial license. Hewlett Packard
Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Acknowledgements
Links to third-party websites take you outside the Hewlett Packard Enterprise website.
Hewlett Packard Enterprise has no control over and is not responsible for information outside
the Hewlett Packard Enterprise website.
To view the end-user software license agreement, go to: HPE Aruba Networking EULA
Hewlett Packard Enterprise Company

Attn: General Counsel
WW Corporate Headquarters
1701 E Mossy Oaks Road
Spring, TX 77389
United States of America
For more training, visit:

https://inter.viewcentral.com/events/cust/cust_tracks.aspx?company_login_id=aruba&pid=1&track_id=43

INSTRUCTOR VERSION
Table of Contents
Hands-on Labs - (eLearning Students Only) .................................................................. 4
Lab 1: Access Remote Lab............................................................................... 12
Lab 2: Configure Orchestrator Networking ..................................................... 16
Lab 3: Configure Orchestrator Getting Started Wizard .................................. 20
Lab 4: Configure Essential Orchestrator Features ......................................... 27
Lab 5: Run the Initial Config Wizard ................................................................ 34
Lab 6: Approve an Appliance from the Orchestrator ..................................... 39
Lab 7: Configure Deployment Profiles ............................................................ 51
Lab 8: Configure Additional Appliances ......................................................... 58
Lab 9: Approve Additional Appliances ............................................................ 68
Lab 10: Configure EdgeConnect HA .................................................................. 80
Lab 11: Deploy an Appliance Using Zero Touch Configuration ...................... 94
Lab 12: Configure Traditional HA .................................................................... 106
Lab 13: Modify Business Intent Overlays........................................................ 113
Lab 14: Monitor Flows ...................................................................................... 121
Lab 15: Run a Report ........................................................................................ 128
Appendix A: Solutions to Common Issues.............................................................. 135
Appendix B: Getting Support ................................................................................... 140
Appendix C: Summary of Orchestrator and EC-V Appliances ............................... 141
Appendix D: User IDs and Passwords Lab Access Code...................................... 142
Appendix E: DST Lab Topology ............................................................................... 143

INSTRUCTOR VERSION
Hands-on Labs - (eLearning Students Only)

This section is for eLearning Students Only. It explains the process to obtain a lab voucher and
access the lab environment for the lab environment used in this class.
INSTRUCTOR-LED Students
Skip blue pages, go directly to Lab 1
Important Considerations for Obtaining Lab Vouchers

Do not obtain a lab voucher unless you have dedicated time to complete the labs.
• After redeeming a lab voucher, a 24-hour timer starts. Access to the lab expires when the
24-hour timer runs out.
• On average it takes 4-5 hours to complete the labs in Part A or Part B.
• Labs must be completed within their 24-hour activation window.
• Additional lab vouchers can be requested using the process outlined on the following pages.
Do not order multiple vouchers at the same time. Order each voucher one at a time when you
have time to complete the labs.
Lab Support
SASE Training Support
• Support for issues with the lab, the lab guide, and the Orchestrator and EC-V virtual machines.
Examples: appliance not registered, tunnel(s) down, connections not forming, etc.
• SASE training support is available Monday-Friday, 9:00 AM-5:00 PM US/Pacific. Emails sent
to the SASE training team outside of these hours will receive responses the following business
day.
• For help, send an email to SASE-Training@hpe.com. Include the following in your email:
1. Lab number and title
2. Your lab access code
3. Page number, task number, and step number in the lab guide
4. Brief description of the issue and a screenshot
ReadyTech Support
• Support for lab environment issues – inability to login to lab desktop, problems with
applications on the lab desktop, the lab freezing, etc.
• ReadyTech support is available 24x7.
• For help, send an email to get-support@readytech.com. You can also contact ReadyTech
support using the chat option in the support menu. The ReadyTech support team does not
have knowledge of the labs or lab guide and only supports the remote lab environment.
Note that solutions to common lab issues are in Appendix A at the end of the lab guide.

INSTRUCTOR VERSION
Materials
You will use this guide for every lab in the course. Unless you have multiple monitors, it can be
inconvenient to use the PDF to complete the labs. Therefore, it can be useful to print this lab guide.
Printing the lab guide will allow you to keep the lab on your screen while you follow instructions and
take notes on the printed copy.
We have found that if you only have a single screen and don’t print this manual, labs can take 30%
longer to complete, and students make 50% more errors because they are constantly switching back
and forth between the manual and the lab environment.
Lab Environment
Labs for this course are implemented in the ReadyTech hosted training environment.
IMPORTANT NOTE:
In order to access the lab, follow the process in the video "Hands on Lab - Part A" to request
a lab voucher through the purchase portal. There is a link in the video you click to
acknowledge that you understand the process and request a lab voucher.
DO NOT REQUEST MORE THAN ONE VOUCHER!

INSTRUCTOR VERSION
Task 1: Click the link in the video to acknowledge and request a

voucher
1. Click the link on the video screen to go to the lab purchase portal.
2. You will be taken directly to Deploying SD-WAN Technologies v9.4 – PART A

(Catalog ID:
DST v9.4 –
PART A)
3. Click Add to Deploying SD-WAN Technologies v9.4 – Part A
cart. Deploying SD-WAN Technologies v9.4 – Part A
DST v9.4 - PART A
4. Click Check out.

Deploying SD-WAN Technologies v9.4 – Part A
DST v9.4 - PART A
5. Fill in your contact

information using the
same name and email
that you used to register
for the course.

INSTRUCTOR VERSION
6. Then click Next.

Note: A correct
email address is
required for you to
receive your
voucher.
Fill in your correct

first and last
name.
Fill in your
company name.
Fill in the Email you
Deploying SD-WAN Technologies v9.4 (DST) Labs 1 - 9 – Part A
used to register
for this course on
the HPE Aruba
Networking
training portal.
If this is incorrect it
can make it difficult
for you to get
support if needed.
5. Click Next
6. Click the acknowledgement check box.

HPE Aruba Networking will be
billed. Your cost is $0.00.
.
7. Click Place order.
8. A Purchase confirmation
Deploying SD-WAN Technologies
DST Labs 1-9 (DST) PART A
2020.08
will be displayed.
Close the window.

INSTRUCTOR VERSION
Task 2: Redeem the Lab Voucher

Check your email. Find and open the email containing your voucher information.
11. When you are ready to

start the lab, click Redeem
Now.
You will be taken to the training

lab environment.
Deploying SD-WAN Technologies v9.4 – Part A
12. Make sure to

select your local
time zone.
13. Click Redeem. Deploying SD-WAN Technologies v9.4 – Part A
14. Fill in your personal information - Input the Email you used to register for this
course in the HPE Aruba Networking training portal.
15. If this is incorrect it can make it difficult for you to get support if needed.
DO NOT ENABLE PASSWORD PROTECTION!

INSTRUCTOR VERSION
15. Check the consent box in the lower

left
16. Click OK to activate the code.
You should now be in the

ReadyTech Self-Paced Training
Portal.
17. Watch the Getting Started Video for

a detailed description of features of
Name: DST v9.2 – Part A
the lab environment.
18. When the video launches, Click

the icon in the lower right to
watch it in full-screen mode.
19. Close the video when you are

done.

INSTRUCTOR VERSION
20. Select Lab on the top menu.
Name: DST v9.4 – Part A
When you are ready to begin, click Start lab now.
You will have one day—24 hours—of access time beginning when you click ‘Start the
lab’. If you do not start the lab within a few hours, you will not have time to complete
it. All EdgeConnect labs are designed to be completed within 4-5 hours.
21. Click Start now.

Note: Although the
message says it may
take up to 150
minutes to start, your
wait should only be
5-10 minutes as
servers are deployed
from a hot standby
pool.
However: If demand
is high and all
machines in the pool
have been deployed, you may have to wait the full length of time for your lab to fully deploy.
An Action in progress message will display.

INSTRUCTOR VERSION
22. Click Close.
An Action result message will

display.
23. Click Close.
The Status display should change to

Up when the lab is loaded and
deployed. If it does not change to up
within 15 minutes, there is
probably a fresh server loading
from scratch, and it might be a
couple of hours until it changes to
Up. You may see an interim status
of Partially Up. If it has not
changed to Up within 2 ½ hours,
contact ReadyTech support.
Note: The display of ‘Up’ does

not necessarily mean the lab is
fully deployed. It simply means
that login is possible. In a later step we will check to make sure all the virtual machines
required to complete the lab are fully deployed.
Do not click “Click here to connect”. Instructions to connect to the lab environment are in
the next lab.

INSTRUCTOR VERSION
Lab 1: Access Remote Lab

Overview
The purpose of this lab is to access the Windows VM Desktop to start all services and to
familiarize you with the lab environment.
Estimated time = 20 minutes
Objectives
 Access the ReadyTech lab.
 Verify the deployment of 16 virtual machines.
Task 1: Connect to the Landing Desktop

eLearning Students: Your lab portal and voucher should have been obtained in
the blue pages above. So, proceed to Step #2.
1. MS Teams (Instructor-Led) Students ONLY
a. <ctrl>+Click the following link to go to the lab training

portal: https://silverpeak.instructorled.training
b. Your instructor will paste your lab code in the MS

Teams Chat
2. Select a language.
3. Copy/paste or manually enter your lab access

code into the Access code field.
4. Click Log In
DO NOT set a password for accessing the lab! It is unnecessary in this

environment and will delay access if you need support.

INSTRUCTOR VERSION
5. Enter your first and last name in

the Access code activation window.
6. Then click to consent to Ready

Tech policies in the lower left
corner.
7. Click OK.
8. Click the Lab tab in the blue menu bar

at the top of the Ready Tech window.
9. From the ReadyTech Lab tab, verify that the

lab’s status is Up . If the status isn’t Up…
Connect to the lab
a. eLearning Students – Access ReadyTech

Support via Chat or email get-
support@readytech.com (chat support is
very responsive).
OR
b. MS Teams (Instructor-Led)
Students ONLY – Notify your
instructor
10. Verify that the ReadyTech Viewer (HTML) is selected in the drop-down list. If another
option is present, change it to the ReadyTech Viewer HTML.
11. Click the login box to Connect to the lab in the

Remote desktop section.
12. You may be automatically logged into the Landing

Desktop. If not, enter the following password for
the Administrator account:
a. Password: Speak-123
13. From the ReadyTech lab’s Desktop menu, choose

the view option that is best for your display. If you
need to exit full-screen mode, enter ESC.

INSTRUCTOR VERSION
Task 2: Verify the Deployment of 16 Virtual Machines
 The first time you open a webpage for VMware ESXi, the Orchestrator, or an
EdgeConnect Enterprise appliance during this course, you need to repeat steps 14 - 16
below.
 Note: There are bookmarks for all tabs you need to access in the Google Chrome
browser bookmarks bar.
14. Open Google Chrome from the Landing Desktop. If it opens, close the “What’s new
with Chrome” browser tab.
15. On the Your connection is not private window, click Advanced.
16. Click Proceed to esxihost (unsafe). Google Chrome opens the VMware ESXi tab.
 If you see any pop-up warning messages about the configured guest OS in VMware ESXi,
you can close or dismiss them.
17. Log in to VMware ESXi with these credentials:
a. Username: admin
b. Password: Speak-123
 If you’re unable to log in to VMware ESXi, click Google Chrome’s refresh button on
the Landing Desktop or close / re-open the browser tab and then try again.
18. If necessary, click Navigator

on the left to expand the ESXi
configuration menu.
19. Click Virtual Machines. The

list should contain 16 virtual
machines (VM).
20. Verify that each VM has a

green, powered-on icon, next
to it. If any of the VMs aren’t
powered on, follow the
instructions in Appendix A,
Issue#2 to reboot the
appliance – or notify your
instructor.

INSTRUCTOR VERSION
Task 3: Written Instructions and Screenshots
 As you work with this student guide, be sure to follow all of the written instructions.
Screenshots provide additional context and are not a replacement for the written
instructions. In the event that an image differs from written instructions, always follow the
written instructions. As you follow the steps in a task, be aware that additional information
might be on the next page.

INSTRUCTOR VERSION
Lab 2: Configure Orchestrator Networking

Overview
The first step in creating your EdgeConnect SD-WAN is to set up the initial network
configurations via the command line of the Orchestrator so it can be registered with the Cloud
Portal. This initial configuration is used to set a static IP address, mask, default gateway,
NTP, and DNS server addresses and the hostname.
Objectives
 Access the Orchestrator’s command line.
 Configure new Linux root and admin account passwords.
 Configure Orchestrator networking information with the orch-setup utility.
Instructions
Task 1: Configure New Linux Root and Admin Account Passwords
 If you need to enter commands in a VMware console window, and it displays incorrect
characters, you can find instructions on non-US keyboard setup and using the on-screen
keyboard in Appendix A, Issue #3.
1. In VMware ESXi, click Virtual Machines in the Navigator pane.
2. Right-click on the Orchestrator VM, and then hover through Console and then click
on Open console in new tab or Open console in new window.

INSTRUCTOR VERSION
3. Log in to Orchestrator with these Linux admin account credentials:
a. User: admin
b. Password: admin
Caution: In the following steps, ensure that you use the password Speak-123 for
the Linux admin and root accounts. Otherwise, you can accidentally lock yourself
out of Orchestrator. We cannot perform password recovery for Orchestrator in the
ReadyTech environment.
4. You will be prompted

to enter a new
password for the
Linux admin
account. Enter the admin
password Speak-123.
5. Carefully enter the

password
confirmation Speak-
123. The password
and confirmation must
match.
6. Orchestrator prompts
you to enter a new
password for the
Linux root account.
Enter the password
Speak-123.
7. Carefully enter the

password
confirmation Speak-
123. The password
and confirmation must
match.
8. After your enter the new passwords, Orchestrator displays the message Successfully
updated passwords.

INSTRUCTOR VERSION
Task 2: Perform Initial Configuration with the orch-setup Utility

9. Enter /home/gms/gms/orch-setup -c at the admin prompt to start the utility.
10. Enter Speak-123 for the

Sudo password for admin.
11. Enter these options for the

orch-setup utility:
a. Timezone: n lower case
b. NTP server: y lower case
c. NTP server (IP/name): 192.168.1.151
d. Change network configuration and hostname via GUI: n lower case
e. Change Orchestrator hostname: n lower case
f. Change IP address: y lower case
g. IP address: 192.168.1.254
h. Netmask: 255.255.255.0
i. Gateway: 192.168.1.253
j. Change DNS servers: y lower case
k. DNS Server 1: 8.8.8.8
l. DNS Server 2: Leave blank. Press the Enter key.
m. Optional configuration items: Leave blank. Press the Enter key.
None of the 7 optional items displayed after the DNS settings will be configured.
Press <enter> and you will be returned to the Orchestrator prompt.

INSTRUCTOR VERSION
12. Type exit at the Orchestrator prompt.
13. Close the Orchestrator console tab.
Task 3: Verify the Orchestrator’s IP Address

14. In VMware ESXi, click Virtual Machines in the Navigator pane.
15. You may need to click the VMware ESXi refresh button to see the IP
address change on the Orchestrator.
16. In the list of virtual machines, verify the IP address for the
Orchestrator is 192.168.1.254.
 If the status of a VM is Warning, click refresh above the list of virtual machines. The
status should change to Normal. This is only a cosmetic issue. Any yellow warning
alarms for VMs in the ESXi host may be ignored.
Learning Check
Answer the following questions:
1) What is the first step for setting up your EdgeConnect SD-WAN?

You must install an Orchestrator.
2) From where do you access the Orchestrator console?

From the Virtual Machine host – VMWare ESXi host in our lab.
3) What is the difference between the Linux admin and root passwords and the Orchestrator
admin password?
Linux passwords are used for the OS running on the VM; Orchestrator password is used to access the GMS application.
4) What is configured while using the orch-setup utility?

Static IP addressing features and hostname are set using orch-setup.
Instructor:
• Cancel unused lab codes before the first 3 hours of class have passed.

INSTRUCTOR VERSION
Lab 3: Configure Orchestrator Getting

Started Wizard
Overview
From the web interface, you will complete the Getting Started Wizard to register the
Orchestrator with the Cloud Portal and to configure an email server and a backup server.
The Orchestrator must be registered when appliances are deployed so they can receive their
configurations and synchronize with all other appliances.
Objectives
 Complete the Getting Started Wizard.
 Configure the Orchestrator to use an email server.
 Configure the Orchestrator to use a backup server.
 Register the Orchestrator with the Cloud Portal.
Instructions
Task 1: Generate an Account Name and Account Key for the
Orchestrator and EdgeConnect Virtual Appliances
1. On the Landing Desktop’s desktop, click the DST Lab Files shortcut.
2. Open the Lab - License Orchestrator shortcut. This

script generates a License.txt file and saves it on the
Landing Desktop. The file contains the account name
and account key you use to register the Orchestrator
and EC-V appliances with the Cloud Portal. All use the
same account name and account key.
3. Close the File Explorer window.
4. Leave the License.txt file open, you will use it later when deploying the appliances.
The file is saved on the desktop. If you close the License.txt file, click the License.txt
icon on the Landing Desktop’s dekstop.

INSTRUCTOR VERSION
5. In Google Chrome, click the second tab to access the Orchestrator UI should
already be open. You may need to refresh the webpage to connect to the
Orchestrator. There is also a bookmark for the Orchestrator in the browser’s
bookmark bar. Alternatively, you can enter https://192.168.1.254 into the address
bar.
 When you connect to the Orchestrator, EdgeConnects or VMware ESXi host, you may
use the bookmarks in the Chrome browser. There are two bookmark folders for the
EdgeConnects – one contains the initial DHCP addresses and the other contains the
static addresses that you will configure after fully deploying each appliance. If you don’t
use a bookmark and instead manually enter the url to reach one of the lab devices in the
Chrome browser, you must use https:// (http:// will not work).
6. Click Advanced if the “Your connection is not private” window appears, and then
click Proceed to 192.168.1.254 (unsafe).
Task 2: Log in to Orchestrator

7. Log in to the Orchestrator with these credentials:
a. User Name: admin
b. Password: admin
8. Click Login.
9. Click Agree to accept the End User License

Agreement.
10. Enter a new password for the Orchestrator admin

account:
a. Password: Speak-123
b. Confirmation: Speak-123
11. Click Save Password.
12. You will be required to login again using the new password (admin / Speak-123).
13. If Orchestrator notifications appear in the upper-right corner (e.g. Generate New Key
Now), click Close, Dismiss, or Don’t Show Again.

INSTRUCTOR VERSION
Task 3: Complete the Orchestrator’s Getting Started Wizard

Caution: During the DST labs, if some screens or web interface elements such as a
Save or Apply button do not appear in the viewable area of the Landing Desktop,
modify the zoom level of its Google Chrome web browser. Click CTRL + to zoom in.
Click CTRL - to zoom out. Click CTRL + 0 to restore the zoom level to 100%.
Licensing Information
14. Click on EdgeConnect under Select Products on the License and Registration tab.
15. Copy the account name from the License.txt file,

and then paste it into the Account Name field. Your browser
16. Copy the account key from the License.txt file,
and then paste it into the Account Key field.
Lab browser
17. Minimize the License.txt file.
18. Click Next on the License and Registration

window.
 If you do not see the Next button, you need to

decrease the zoom on the Landing Desktop’s
Chrome browser.

INSTRUCTOR VERSION
Email Settings
19. Enter these email server settings on the Email window:
a. Enable SSL: Not selected
b. Enable Authentication: Selected
c. SMTP Server: 192.168.1.200
d. SMTP User: student@training.local
e. Email Sender: student@training.local
f. SMTP Password: Speak-123
g. Server Port: 25
h. Require Email Verification: Not selected
i. Send a Test Email to: student@training.local
j. Email Alarms to: student@training.local
20. Click Test to the right of the “Send a Test Email to” field.
You should see this message at the bottom of the screen.
If the test isn’t successful, verify the settings. Everything is visible except the
passsword. When in doubt, delete the password and carefully re-enter it.
Note that it can take a minute or so for the email test to complete.
21. Click Next on the Email window.

INSTRUCTOR VERSION
Backup Settings
22. Enter these backup server settings on the Backup tab:
a. Protocol: FTP
b. Hostname: 192.168.1.200
c. Username: anonymous
d. Password: Speak-123
e. Directory: /GMS
f. Port: 21
g. Max backups to retain: 3
23. Click Test to define the Max backups to retain. If the test is not successful, verify the
settings. If the test is successful, Orchestrator shows a success message. If
everything looks correct, delete and enter the password.
24. Click Add next to the Schedule field.

INSTRUCTOR VERSION
25. Select these backup schedule settings:
a. Frequency: Weekly
b. Day: Saturday
c. Time: 08:00
d. Date: Current date
26. Click OK.
27. Click Apply to complete the Getting Started Wizard.
28. Click Close on the Wizard Configuration Summary window.
Task 4: Turn Off New Software Release Notifications
 You turn off this setting for the DST labs to prevent numerous software release notification
pop-ups from opening in Orchestrator. You will not be upgrading the software in this lab.
In a production SD-WAN, you don’t need to turn off this Orchestrator setting.
29. From Orchestrator, click

Orchestrator  Software & Setup
 Setup  Advanced Properties.
30. From the Advanced Properties tab, enter software in the Search field.
31. Change the property value of newSoftwareReleasesNotification to false.
32. Click Apply.
Task 5: Dismiss Pop-up Notifications

33. If any notifications appear in the upper-right corner of Orchestrator, click Don’t show
again or Dismiss.
 You might need to dismiss new software release notifications if they appeared before you
changed the setting to false. After you do this, additional new software release
notifications won’t appear.

INSTRUCTOR VERSION
Task 6: Verify the Registration Status of the Orchestrator

34. Verify the Orchestrator’s Cloud Portal registration status. Click Orchestrator 
Orchestrator Server  Licensing  Cloud Portal. If the status for Registered is
Yes, the account name and the account
key matched a Cloud Portal database
entry for your temporary student account.
35. Click Close on the Cloud Portal window.
TrainingDemoAcct00000
 If you click on the blue padlock at the end of the Account Key field, you will see all of the
characters in plain text.
 Note: You can copy the account name and key from the Cloud Portal tab on the
Orchestrator and paste into an appliance if necessary.
Learning Check
1) What IP address do you use to access the Orchestrator web interface?

The static IP address that was configured in the orch-setup.
2) What is the purpose of the email server?

Orchestrator uses it to send emails for alarms and reports.
3) What is the purpose of the backup server?

Orchestrator backs up its configuration to the backup server. The Orchestrator backup also contains every EdgeConnect config.
4) If you cannot locate the License.txt file, where can you find the account name and key?
Account info can be found on the Orchestrator’s Cloud Portal tab – or on any deployed appliance.

INSTRUCTOR VERSION
Lab 4: Configure Essential Orchestrator

Features
Overview
You will configure groups in the Orchestrator’s appliance tree to organize the EdgeConnect
appliances it will manage. These groups are administrative entities used to logically organize
the appliances and do not affect how tunnels get built.
You will edit an existing WAN label and create a new LAN label on the Orchestrator and then
apply these labels in the Deployment Profiles in the next lab. LAN interface labels can be
used as Overlay ACL match criteria. Underlay tunnels will be built between appliances using
interfaces that are configured with the same WAN interface label.
You will also configure templates in a template group on the Orchestrator. Template Groups
are a configuration mechanism used to configure many settings for EdgeConnect appliances,
and then simultaneously apply those settings to multiple appliances. Each template group
contains active templates you select and configure from a list of available templates.
Objectives
 Create groups in the Orchestrator.
 Create and edit interface labels in the Orchestrator.
 Edit which Active Templates are in the Default Template Group.
 Configure the Active Templates in the Default Template Group.
Instructions
Task 1: Rename Group 1 to Site 1 - Singapore
 The Orchestrator’s appliance tree is located in the left margin of the Orchestrator UI. You
can edit an existing group, create new groups and sub-groups under an existing group.
1. From Orchestrator’s Appliance Tree, right-click Group 1, and then click Rename.
2. Enter the group name Site 1 - Singapore.
3. Click OK.

INSTRUCTOR VERSION
Task 2: Create Two Additional Groups

4. Right-click 0 Appliances in Orchestrator’s tree view, and then click Add Group.
5. Enter the group name Site 2 - Mumbai.
6. Click OK.
7. Repeat steps 4-6 to create the Site 3 - Santa Clara group.
 The syntax used to create the Site 3 group name must match exactly what is used in the
preconfiguration file to deploy ECV-5 in Lab 11 or an error will occur. Note that there is a
space before and after the dash between “3” and “Santa Clara”: Site 3 – Santa Clara.
 The student guide provides detailed instructions for each task. If something doesn’t function
as expected, double-check the instructions to determine if a mistake or omission was made.
 Orchestrator’s Appliance Tree should now look like this

image.
Task 3: Modify a WAN Interface Label

8. Open Orchestrator’s Interface
Labels tab. (Configuration 
Overlays & Security  Interface
Labels) You can quickly find any
menu item with Orchestrator’s
Search Menu function.
Caution: Don’t delete any of the preconfigured interface labels, because you will
use them when deploying the appliances.
 Orchestrator comes with preconfigured LAN and WAN interface labels. The LTE (Hub &
Spoke) label’s topology in the BIOs indicates that regardless of an overlay’s topology, the
WAN interface with this label only establishes an underlay to a hub appliance. In this lab,
you will change this setting to make cross-connect underlays to INET1 interfaces possible
in Mesh topologies. Both LTE and INET1 interfaces are in cross-connect group 1. This is
what allows these unlike labels to create underlay tunnels. You cannot cross-connect
public connections (e.g. broadband & LTE) to private connections (MPLS).
9. Click the edit icon for the LTE (Hub & Spoke) WAN interface label.
10. Click the Topology drop-down list, and then click any.

INSTRUCTOR VERSION
Task 4: Create a LAN Interface Label

11. Click New Label.
12. Click lan.
13. Enter GuestWiFi as the LAN interface label’s name.
14. Click Save.
15. Verify the GuestWifi LAN interface label is in the list.
16. Click Save on the Interface Labels window.
17. Close Interface Labels tab.
Task 5: Configure the Default Template Group
 During this lab, you will choose which templates to include in the Default Template Group.
This allows you to configure these settings once, and then simultaneously apply them to
all of the appliances. This reduces the risk of incorrectly configuring settings and saves
time.
18. In Orchestrator, open the Templates tab.

(Configuration  Templates & Policies 
Templates)
19. Click Show All to display the Available

Templates column.
See important note on the next page if the

Available Templates list is blank.

INSTRUCTOR VERSION
Why don’t I see the list of Available Templates?

It is possible that a blank grey box will
display instead of the list of Available
Templates. This is a display issue that can
occur on some computers.
a. The solution is to go to the Google

Chrome browser on the lab’s Landing
Desktop and zoom out. The list of
templates usually appears when you
zoom out to 50% or less.
b. However, at this point, the template

names appear but are too small to read.
To be able to read them, go to the web
browser on your PC – the one you are Your browser
using to access the lab website – and
zoom in.
Lab browser
c. After you have dragged all templates to
their appropriate columns, you may
reset the zoom settings on both web
browsers and resume configuring the
Active Templates.
The lab guide says to click “Save” or “Apply”, but I don’t see the button…
This is also a display issue. The save button (or any button you need to click) is there, it
is just off-screen and there is no way to scroll down to get to it. Zoom out on the
Landing Desktop’s Chrome browser and the buttons on the lower portion of the screen
will become accessible.

INSTRUCTOR VERSION
20. Click and drag these templates from the Active Templates column to the Available
Templates column to remove them from the Default Template Group:
a. SNMP
b. Admin Distance
c. Routes
d. Shaper
21. Click and drag the User Management

template from the Available Templates
column to the Active Templates column.
22. Verify these templates are in the Active Templates column:
a. DNS
b. Date/Time
c. User Management
d. Management Services
e. Session Management
23. Click Hide to remove the Available Templates column from view.
Task 6: Configure the Active Templates
 The DNS and Management Services templates already have the necessary
settings.
24. Click the Date/Time template.
a. Click the X to the right of the pre-configured NTP server to delete it.
b. If not already selected, click NTP Time Synchronization.
c. Click Add.

INSTRUCTOR VERSION
d. Configure the new time server with these settings:
 Server: 192.168.1.151
 Version: 3 (This is NTP server version in the lab)
 Time Zone: US/Pacific
25. Click the User Management template.
a. Click the Password field of the admin EdgeConnect user account.
b. Enter the password Speak-123.
c. Click the Confirm Password field

of the admin EdgeConnect user
account.
d. Enter the password Speak-123.
26. Click the Session Management

template.
a. Configure Auto Logout to 60

minutes.
27. Click Save below the Active

Templates field to save these changes to the Default
Template Group.
28. Click Save Template Changes on the Save Template

Changes window.
29. Close the Templates tab.

INSTRUCTOR VERSION
Task 7: Disable Orchestrator SSL Cert Check

Since we are not using the Orchestrator SSL Cert Check feature with the appliances in
this lab, the Verify Orchestrator and Stats Collector Certificates check must be
disabled on the Advanced Security tab in the Orchestrator. In the real world, you
would typically install valid certs issued by a legitimate certificate authority.
30. On the Orchestrator, go

to Configuration 
Overlays & Security 
Security  Advanced
Security Settings
31. Uncheck the top box

“Verify Orchestrator
and Stats Collector
Certificates”.
32. Click Save.
33. Click Save and Apply Changes
Learning Check
1) What is the purpose of a group in Orchestrator’s appliance tree?

You assign EdgeConnect appliances to groups to simplify SD-WAN administration.
2) How does Orchestrator use LAN and WAN interface labels?

LAN: Interface identification and BIO match criteria. WAN: Interface identification and underlay tunnels.
3) What is a template?
You configure settings in a template that Orchestrator applies to multiple appliances.
4) What is the difference between Available Templates and Active Templates?

Available templates are a list of all unused templates. Active templates are template group members.
5) What is the difference between a template and a template group?

See #1 for template. A template group is a collection of configured templates that Orchestrator applies to appliances.
6) Can you apply more than one template group to an EdgeConnect?

Yes, you can see the applied template groups on the Apply Template Groups tab.

INSTRUCTOR VERSION
Lab 5: Run the Initial Config Wizard

Overview
You will use a web browser to access the appliances using the DHCP addresses displayed in
the ESXi host. In the ESXi host, you will verify the MAC address associated with each
vSwitch port group (virtual network adapter) on the appliance. Then during the Initial Config
Wizard setup, you will associate each interface to the appropriate vSwitch port group by
choosing the MAC address assigned to that vSwitch port group on the virtual machine in the
ESXi host.
Objective:
 Complete the Initial Config Wizard for ECV-1.
Instructions
Task 1: Become Familiar with VMWare ESXi vSwitch Port Groups
1. Unless it is already open, add a new tab in Google Chrome on the Landing Desktop,
and then open the DST Lab Topology bookmark.
2. Review the DST Lab Topology diagram. The gold-colored ovals represent the
vSwitch port groups to which each VM connects that allow them to communicate
with one another. Think of the vSwitch port groups like a physical switch that has
devices connected to it with cables. VMware ESXi uses virtual network switches, or
vSwitches, to interconnect its VMs. Each vSwitch has a port group. The port group
defines how the interfaces of each VM connect to a vSwitch.

INSTRUCTOR VERSION
Task 2: Record the MAC Addresses of ECV-1’s Network Adapters

3. From the Virtual Machines in the VMware ESXi host click
the name of ECV-1 in the list of virtual machines.
4. In the Hardware Configuration section, click the

disclosure triangle next to each of the five network
adapters to show their settings.
5. Review each network adapter’s settings, and

then record the last two digits of each MAC
address in the following table.
ECV-1 Information
Network MAC Address

Adapter (Record the last 2 digits) Port Group ECV-1 Interface
SW 01 -
1 Management mgmt0
2 SW 02 lan0
3 SW 03 wan0
4 SW 04 wan1
5 SW 05 wan2

INSTRUCTOR VERSION
Task 3: Record the DHCP-assigned IP Address of mgmt0 for ECV-1
 ECV-1 is already installed, but not completely configured. The IP address for each
appliance and the Orchestrator should appear in the VM list in the ESXi host.
If the IP address field displays “Unknown” then click the refresh button above the VM list.
 If the IP address does not appear after refreshing the VM tab, then notify your instructor.
Self-paced students:
contact training support at
SASE-Training@hpe.com.
 Alternatively, you may also

find the appliance’s IP
address by opening a
console connection.
Right-click on the
appliance in the VM tab
and go to Console > Open
console in new tab)
6. If the IP address is not

present at the top of
the console window, follow the instructions in Appendix A, Issue#2 to reboot the
appliance from the ESXi host – or notify your instructor..
• Self-paced students: contact training support at SASE-Training@hpe.com.
7. Record the DHCP IP address of ECV-1’s mgmt0 interface: __________________
 If your cursor becomes stuck in the VMware ESXi console window, enter CTRL+ALT on
your keyboard to release the cursor. If you’re using a Mac computer, enter
CTRL+Option.
8. Close the ECV-1 console tab.

INSTRUCTOR VERSION
Task 4: Complete the Initial Config Wizard for ECV-1

9. Open a new tab in Google Chrome on the Landing
Desktop.
10. Click the EdgeConnect (DHCP) bookmarks folder.
11. Click the ECV-1 (192.168.1.41) bookmark. If you choose to open a browser tab and
enter the ECV-1 DHCP IP address instead of using the bookmark, be sure to enter
https:// before the IP address.
12. Click through any Google Chrome security warnings that might appear.
13. Log in to ECV-1 with these credentials:
a. Username: admin
b. Password: admin
14. Click Login to open the Initial

Config Wizard.
If the Initial Config Wizard doesn’t

automatically launch after you log
in, click Configuration  System
& Networking  Initial Config
Wizard on the appliance’s menu to
open it.
 You might need to zoom out on the Landing

Desktop browser to see the Initial Config
Wizard near the bottom of the list.
15. Enter ECV-1 in the Appliance Hostname

field.
16. Assign the correct MAC address to

each interface based on the ECV-1
Information table you completed during
a previous task.
17. From the License.txt file, copy the

account name and account key, and
then paste them into the related
Registration fields. This is the same
account name and key used by the
Orchestrator.

INSTRUCTOR VERSION
18. Deselect the Orchestrator SSL Cert

Check box.
19. Click Save on the Configuration Wizard window.
20. Click Yes, reboot now in the Confirm window.
21. Close the ECV-1 tab. You don’t need to wait for the
EdgeConnect to reboot.
IMPORTANT NOTE: It will take approximately 7 minutes for the Approve button to turn
green after the appliance is discovered. This is a good time to take a short break. In
the Appliances Discovered, compare the timestamp in the Discovered Time column with
the system clock in the bottom right corner of the Landing Desktop to determine how
long it has been since the appliance was discovered.
Learning Check
1) What is the purpose of the Initial Config Wizard?

It assigns a hostname and MAC address/switchport group assignment to the physical interfaces + Account Name & Key if an EC-V.
2) Where do you configure the Initial Config Wizard – on the Orchestrator or the appliance?
From the Appliance Manager web interface.
3) T/F: The appliance’s IP address is configured in the Initial Config Wizard.

Yes, the Appliance Manager is accessible.

INSTRUCTOR VERSION
Lab 6: Approve an Appliance from the

Orchestrator
Overview
After initial configuration, you will approve ECV-1 from Orchestrator. Once it is approved, you
will then complete the Appliance Wizard to define the configuration settings. After approval,
the licensing is granted to the appliance and the Orchestrator now manages it. It is best
practice to define a static IP address to manage each EdgeConnect, which you will do after
the appliance is deployed. After ECV-1 is approved and configured, you will reconfigure the
destination addresses used as ping targets in the Global IP SLA. There are default
destinations that are used to verify internet reachability. An addition will be made to include
an “internet” destination that is inside the lab environment.
Objectives
 Verify that ECV-1 has finished rebooting.
 Approve ECV-1 in the Orchestrator’s Discovered Appliances tab.
 Complete the Appliance Wizard configuration.
Instructions
Task 1: Verify that ECV-1 Has Finished Rebooting
You can view the reboot process from the ESXi host by clicking on the ECV-1 icon on the
Virtual Machines tab of the ESXi host. This will display ECV-1’s console where you can
watch it go through the boot process.
1. From VMware ESXi, click Virtual Machines in the Navigator pane.
2. Look at the row for ECV-1 and verify its DHCP IP address is displayed
(192.168.1.41).
3. If instead the IP address field displays “Unknown” or possibly an IPv6 link-local IP

(FE80: . . . .) then the appliance is not finished rebooting or the MAC address was
misconfigured in the initial Config Wizard. Wait a minute and then click the refresh
button until the DHCP address is displayed.

INSTRUCTOR VERSION
4. If the DHCP address remains unassigned, Appendix A (Issue #4) describes how to
reset an appliance to its defaults. Then go through the Initial Config Wizard on the
appliance again.
Task 2: Open Orchestrator’s Discovered Appliances Tab

5. From Orchestrator, at the top right of the screen, click the
Appliances Discovered button on the right-hand side of
Orchestrator’s menu bar.
6. Click Refresh Discovery Information. It is not an

issue if the IP address field doesn’t show an entry.
IMPORTANT NOTE: It will take approximately 7 minutes

for the Approve button to turn green after the appliance is
discovered. This is a good time to take a short break. In
the Appliances Discovered, compare the timestamp in the
Discovered Time column with the system clock in the
bottom right corner of the Landing Desktop to determine
how long it has been since the appliance was discovered.
What if the Appliances Discovered button does not appear after

the previous step?
If an appliance has not been discovered by the Orchestrator 10 minutes after completing the
Initial Config Wizard, follow the instructions in Appendix A, Issue#2 to reboot the appliance –
or notify your instructor.

INSTRUCTOR VERSION
Caution: If any EdgeConnect continues to show Unreachable 10 minutes after

rebooting from the ESXi host, then notify your instructor. SELF-PACED students –
send an email to ‘SASE-Training@hpe.com’ and include your lab access code in the
subject. Please note that this email is monitored Monday – Friday, 9AM – 5:00 PM
US/Pacific.
Task 3: Approve ECV-1 from Orchestrator

7. From Orchestrator’s Discovered Appliances tab, on the row for ECV-1, click Approve.
8. If prompted to upgrade the appliance click Skip.
Task 4: Complete the Appliance Wizard for ECV-1

9. Enter these settings on page 1:
a. Group: Site 1 - Singapore
b. Admin Password: Speak-123
c. Confirm Password: Speak-123
d. City: Singapore
e. State: Delete the entry
f. Zip Code: Delete the entry
g. Country: Singapore
h. Hub Site: Not Selected

INSTRUCTOR VERSION
10. Click Next on page 1 of the Appliance Wizard.
11. Click the Deployment Profile drop-down list, and then click MPLS + Internet + LTE
Branch. This profile will be edited and used to configure ECV-1.
12. Before you begin configuring, stretch

the deployment configuration window by
dragging the bottom right corner. Make
sure you can see all of the configurable
fields including the WAN next-hop
address fields and the licensing
information fields.
13. Just below the lan0

interface, click +IP
twice to add two
subinterfaces.
14. Add vlan number 131

to the first subinterface
and 132 to the second
subinterface.

INSTRUCTOR VERSION
a. lan0 interface: 10.110.10.100/24 - (Label = Data)
b. lan0.131 sub-interface: 10.110.13.100/24 - (Label = Voice)
c. lan0.132 sub-interface: 10.110.14.100/24 - (Label = GuestWiFi)
d. wan0 (MPLS1) interface: 10.110.103.100/24
e. wan1 (INET1) interface: 10.110.104.100/24
f. wan2 (LTE) interface: 10.110.105.100/24
g. wan0 next-hop: 10.110.103.1
h. wan1 next-hop: 10.110.104.1
i. wan2 next-hop: 10.110.105.1
16. Configure bandwidth in Kbps on each

WAN interface:
a. Outbound = 6,000
b. Inbound = 6,000
17. Calculate Total Outbound and Inbound

bandwidth using the ∑ Calc button.
18. Configure licensing – click on 50 Mbps in

the EdgeConnect Licensing drop-down.
19. Configure Boost bandwidth to 18,000 Kbps
20. Click Next on page 2
21. Click Next on page 3. You won’t use

loopback addresses during these labs.
a. Use SD-WAN Fabric Learned Routes: Selected
b. Automatically advertise local LAN subnets: Selected
c. Automatically advertise local WAN subnets: Not selected

INSTRUCTOR VERSION
23. Click Next.
24. The following items should be pre-selected:
a. Add Business Intent Overlays to this Site:
 RealTime: Selected
 Critical Apps: Selected
 BulkApps: Selected
 DefaultOverlay: Selected
b. Select a Template Group to be applied:
 Default Template Group: Selected

INSTRUCTOR VERSION
25. Click Apply on page 5. Orchestrator shows a list of operations on the Appliance
Wizard window. All of them should have a status of Success, and the overall status
should be Success. If one of the operations should fail, click Go Back, and then click
Apply again.
26. When all of the operations show Success, click Close on the Appliance Wizard
window.
27. Close the Discovered Appliances tab.
28. From Orchestrator’s appliance

tree, click the disclosure triangle
for the Site 1 – Singapore group.
ECV-1 should be a member of
this group.
29. Click the gear icon in the top

right of the Appliance Tree.
30. Click the Show IP checkbox to

display the appliance IP address
in the Appliance Tree.
31. Click the “X” in the upper right

corner to close the tree setting
menu.
It will take several minutes for

the appliance to turn from grey
to black and be reachable in the
Appliance Tree.
Task 5: Configure ECV-1’s mgmt0 Interface with a Static IP Address
 You will need to wait until ECV-1 has finished deploying in the Orchestrator before moving
on to the next step. Note that ECV-1 is the only appliance at this point, so no tunnels will
be built.

INSTRUCTOR VERSION
32. From Orchestrator’s appliance tree,

open the Site 1 - Singapore group,
right-click ECV-1, and then click
Appliance Manager. Orchestrator logs
in the admin account to the web
interface of the ECV-1 appliance.
33. Open the Hostname/IP

window. (Administration 
Basic Settings  Hostname
/ IP).
34. Click the DHCP check box for

mgmt0, and then click the check
box a second time to remove the
check mark.
35. Enter the IP address

192.168.1.4/24.
36. Click Apply. A status window

with Applying Hostname / IP
changes appears. It will take a
minute or more for the changes
to be applied.
37. Click Save Changes in the upper-right area. You might have to
wait for a few seconds for this button to appear. Depending on
the auto-save cycle, the Save Changes button may not appear.
38. Close the Google Chrome tab for ECV-1.
Task 6: Configure the Global IP SLA for Internet Breakout
 During this task, you will configure a global internet breakout IP SLA that applies to all of
the overlays. EdgeConnect appliances use this IP SLA to verify that the internet is
reachable in order to perform local internet breakout. If all the targets you specify in the IP
SLA are not reachable, the EdgeConnect uses the next option in the Preferred Policy
Order. If no other options are present, then it uses the Drop option.

INSTRUCTOR VERSION
39. Open the Business Intent Overlays tab. (Click Configuration  Overlays &
Security  Business Intent Overlays.)
40. Click Breakout Traffic to Internet & Cloud Services on any one of the BIOs. Using
the instructions below, edit the IP SLA target addresses in one of the BIOs and the
changes will propagate to all the BIOs.
41. Click the edit icon next to Break

Out Locally Using These Interfaces.
42. Add a comma after the last address

in the IP SLA addresses list and then
add UBU-1’s IP address in the
Address field with no space after the
comma:
a. sp-ipsla.silverpeak.cloud,8.8.8.8,8.8.4.4,11.1.1.11

INSTRUCTOR VERSION
 There may be specific Internet devices that are important for your network, so we will
demonstrate how to change the default IP SLA targets in this task. As an important
device in the lab internet, you will add UBU-1's address (11.1.1.11) into the IP SLA
addresses list to verify the lab internet is reachable. Note that 11.1.1.11 is a public IP
address but is not reachable on the real internet, only inside of the Ready Tech lab.
43. Click Save on the IP SLA Rule Destination window. Orchestrator displays a success
message.
44. Close the Overlay Configuration window using the “X” on the top right.
45. Close the Business Intent Overlays tab
46. Review the DST Lab Topology, and then answer these questions:
a. Can ECV-1 ping the 10.110.104.1 internet gateway addresses?

When Deployed ECV-1, ECV-3, ECV-4, and ECV-5 can ping them. (ECV-2 has no INET interface)
b. Can ECV-1 10.110.105.1 LTE gateway address?

When deployed ECV-1 and ECV-3 can ping them. . (ECV-2 has no INET interface)
 At this point, Orchestrator has the four preconfigured BIOs. All of the BIOs now use the
global IP SLA that includes 11.1.1.11. These addresses will be used to determine if the
internet is reachable. These addresses are combined with a Boolean “or”, This means if
none of these IP addresses are reachable, the internet is considered unreachable and the
Breakout Locally option will not work. If any one of the IP addresses is reachable, then
the internet is considered to be up and Breakout Locally will be used.
Task 7: Ping the Internet from Site 1’s LAN subnet
 During this task, you test Internet connectivity on ECV-1 by pinging UBU-1 which is
located on the lab Internet. Pings will be sourced from ECV-1’s lan0 interface which is the
same subnet as the connected host. The Ping / Traceroute utility is run from the appliance
manager, not the Orchestrator.
 For a ping, you must identify the source address or interface in the options field preceded
with a “-I”. For example, “-I 10.110.10.100” or “-I wan1”.
 For a traceroute you must identify the source address or interface in the options field.
Precede the source IP address with a “-s”. Precede the source interface with “- i”. For
example, “-s 10.110.10.100” or “-i wan1”.

INSTRUCTOR VERSION
 Note that the options for traceroute are both in lowercase while ping uses an uppercase I
(i.e. “-I”). If a source is not specified, then the management interface is used by default.
47. Right-click ECV-1 in Orchestrator’s appliance tree, and

then click Appliance Manager at the top of the menu.
48. Go to Maintenance  Tools  Ping/Traceroute to

open the Ping/Traceroute page.
49. Click on the Ping button under Network Connectivity
50. In the IP/Hostname field enter

UBU-1’s IP address: 11.1.1.11
51. In the Options field, enter -I

10.110.10.100. This option
specifies the lan0 interface of D
ECV-1. If you don’t specify, ECV- d
1 would use its mgmt0 interface
IP address as the ping’s source
IP address.
 A list of all options can be found by

clicking at the top of the page.
52. Click the Start button and it will change to Stop. You should see successful replies in
in the Output field.
53. Click Stop to end the ping process.
 In this lab we are not using Routing Segmentation. If segmentation is configured, then
you would choose the correct segment for the ping or traceroute.
Task 8: Traceroute to the Internet from Site 1’s LAN Subnet
 This time you will trace the path that ECV-1’s lan0 interface takes to the internet. UBU-1
represents the internet in the lab due to restrictive firewalling in the ReadyTech
environment.

INSTRUCTOR VERSION
54. Click Traceroute.
55. 11.1.1.11 should still be in the IP /

Hostname. If not, re-enter it.
56. Enter -s 10.110.10.100 in the

options field to use ECV-1’s lan0
IP address as the traceroute’s
source IP address.
57. Click Start.
 You should see the traceroute going through ECV-1’s internet connection on wan1. The
first hop in the traceroute is wan1’s next hop address, 10.110.104.1.
58. Click Stop.
59. Close the appliance manager browser tab.
Learning Check
1) How do you know an appliance is ready for approval from the Orchestrator?
The Appliances Discovered button will appear – flash briefly and then turn solid.
2) From which Orchestrator tab do you approve a new appliance?

In the Appliances Discovered tab – accessed by clicking on the Appliances Discovered button.
3) What do you do after you click the Approve button for an appliance?
Complete the Appliance Wizard – System info, Deployment profile, Loopbacks, Subnet Sharing and BIOs / Template Groups
4) From where do you initiate a ping or traceroute?

Currently the ping/traceroute utility is performed from the appliance web UI – not from the Orchestrator.
5) Why do you need to specify a data path source IP address for a ping or traceroute?
If you don’t do this, the EdgeConnect uses the IP address of its mgmt0 interface as the source IP address.

INSTRUCTOR VERSION
Lab 7: Configure Deployment Profiles

Overview
You can now confirm that configuring the Deployment screen on the Appliance Wizard can
be a time-consuming process. Having to choose all interface parameters and options as well
as IP addressing information on each appliance also increases the risk of configuration
errors. It’s possible to create a Deployment Profile in which you preconfigure all interface
settings except IP addresses.
Deployment Profiles are configured on the Orchestrator and provide accurate, scalable
configurations for your EdgeConnect appliances. Your SD-WAN may have sites with identical
interface, VLAN, bandwidth, QoS, firewall, and licensing. You can configure one Deployment
Profile that includes these identical settings, and then use the Deployment Profile as you
deploy appliances – configuring only the IP addresses for each appliance.
Objectives
 Create Deployment Profiles for ECV-2, ECV-3 and ECV-4.
 Choose WAN and LAN interfaces and subinterfaces, and configure their settings: labels,
FW mode, interface & total WAN bandwidth, Boost bandwidth, and licensing.
 These Deployment Profiles will be used to deploy three appliances in an upcoming lab
where you will deploy ECV-5 using a preconfiguration file.
Instructions
Task 1: Create the “Branch Office EdgeHA – MPLS” Deployment
Profile
 You will modify the preconfigured MPLS Only Branch deployment profile, and then Save
As with a different name to create the Branch Office EdgeHA - MPLS deployment profile.
 In a later lab, you will then apply the Branch Office EdgeHA - MPLS deployment profile to
ECV-2 at Site 2 - Mumbai.
1. From Orchestrator, open the Deployment

Profiles tab. (Configuration  Overlays &
Security  Deployment Profiles)

INSTRUCTOR VERSION
2. From the Profile Name drop-down list, click

MPLS Only Branch.
3. Verify that Router is the deployment mode.
4. Under LAN Interfaces, below

interface lan0, click +IP to add
a sub-interface.
5. Configure these LAN interface labels:
a. lan0: Data
b. lan0 sub-interface: Voice
6. Configure the LAN sub-interface VLAN tag:
a. lan0 / Voice sub-interface: 131
7. Verify the WAN interface label:
a. wan0: MPLS1
8. Verify the FW mode (i.e. firewall mode) of the WAN interfaces:
a. wan0: Allow All
9. Verify the NAT flag setting of the WAN interface (just below WAN next-hop):
a. wan0: Not behind NAT

INSTRUCTOR VERSION
 In a production SD-WAN, you would configure the NAT Flag setting for the internet and
4G LTE interfaces when upstream devices perform NAT. There are no upstream NAT
devices in this lab.
10. Configure the Bandwidth settings for the

WAN interface:
a. wan0: 2,000 outbound, 2,000 inbound
11. Click ∑ Calc to set the Total Outbound

and Total Inbound WAN bandwidth
settings to 2,000 each.
12. From the EC license drop-down list, click 50 Mbps.
13. Configure Boost to 2,000 Kbps.
14. Click Save As in the lower left (you may need to

zoom out on Landing PC browser).
15. Enter Branch Office EdgeHA MPLS as

the name of the Deployment Profile.
16. Click Save.
Task 2: Create the “Branch Office EdgeHA - Internet/LTE”

Deployment Profile
 You will modify the Branch Office EdgeHA - MPLS profile you just configured, and then
Save As with a different name to create the Branch Office EdgeHA - Internet/LTE
Deployment Profile.
 In a later lab, you will apply the Branch Office EdgeHA - Internet/LTE Deployment
Profile to ECV-3 at Site 2 - Mumbai.
17. Change the interface label on wan0:
a. wan0: INET1
18. Click +Add next to WAN Interfaces to add a wan1 interface.

INSTRUCTOR VERSION
19. Configure the interface label for the wan1 interface:
a. wan1: LTE
20. Verify and change the FW mode (firewall mode) on the WAN interfaces:
a. wan0: Stateful+SNAT
b. wan1: Stateful+SNAT
21. Verify the NAT Flag setting for each WAN interface:
b. wan1: Not behind NAT
 In a production SD-WAN, you would configure the NAT Flag setting for the internet and
4G LTE interfaces when upstream devices perform NAT. In this training lab, this isn’t
necessary.
22. Configure the Bandwidth settings for the

wan1 interface:
a. wan1: 2,000 outbound
2,000 inbound
23. Click ∑ Calc to set the Total Outbound and

Total Inbound WAN bandwidth settings to
4,000 each.
24. From the EC license drop-down list, click 50

Mbps.

INSTRUCTOR VERSION
26. Click Save As.
27. Enter Branch Office EdgeHA - Internet/LTE

ce EdgeHA - Internet/LTE
as the name of the Deployment Profile.
28. Click Save.
Task 3: Create “Data Center HA” Deployment Profile
 You will modify the Branch Office EdgeHA - Internet/LTE Deployment Profile and then
Save As with a different name to create the Data Center HA Deployment Profile.
 In a later lab, you will apply the Data Center HA Deployment Profile to ECV-4 at Site 3 –
Santa Clara. ECV-5 will also be located at Site 3 but will use a preconfiguration file
instead of a deployment profile for configuration.
29. Under LAN Interfaces, below

interface lan0, click +IP to add a
second sub-interface.
30. Configure the new LAN

sub-interface:
a. Interface label: GuestWiFi
b. sub-interface: 132
31. Change interface label and FW Mode on wan0:
a. Label: MPLS1
b. FW Mode: Allow All
32. Change interface label and

verify FW Mode on wan1:
a. Label: INET1
b. FW Mode: Stateful+SNAT

INSTRUCTOR VERSION
33. Verify the NAT Flag setting for each WAN interface:
b. wan1: Not behind NAT
 In a production SD-WAN, you would configure the NAT

Flag setting for the internet and 4G LTE interfaces
when upstream devices perform NAT. There are no
upstream NAT devices on any WAN interface in this
lab.
34. Configure the Bandwidth settings for the WAN

interfaces:
a. wan0: 4,000 outbound, 4,000 inbound
b. wan1: 4,000 outbound, 4,000 inbound
35. Click ∑ Calc to set the Total Outbound and Total Inbound WAN bandwidth settings
to 8,000 each.
36. Verify that the EC drop-down list in the EdgeConnect Licensing section is set to 50
Mbps.
38. Click Save As.
39. Enter Data Center HA as the name of the

Deployment Profile.
40. Click Save.

INSTRUCTOR VERSION
Learning Check
1) Where do you configure Deployment Profiles?

On the Orchestrator
2) Where do you configure the Deployment page?

On the appliance from Orchestrator’s interface.
3) What do you configure in a Deployment profile?

All of the interface configuration settings for an appliance – except IP addresses
4) Why might you use Deployment Profiles?

1. When there are multiple appliances with the same interface characteristics (small branch, data center, etc.); 2. When you want to speed up the
deployment of an appliance during a maintenance window.
5) What is the difference between a Deployment Profile and the Deployment page?
Deployment Profile contains no IP addresses – can be used with multiple appliances. Deployment Screen IP address fields are configurable –
intended for a single appliance.

INSTRUCTOR VERSION
Lab 8: Configure Additional Appliances

Overview
The registration and approval process will be the same as was used with ECV-1. You will
access ECV-2, ECV-3, and ECV-4 via HTTPS and complete the Initial Config Wizard with the
hostname, MAC address assignments, Account Name, and Account Key.
Objectives
 Complete the Initial Config Wizard for ECV-2, ECV-3, and ECV-4.
IMPORTANT NOTE: It will take approximately 7 minutes for the Approve button to turn
green after the appliance is discovered. This is a good time to take a short break. In
the Appliances Discovered, compare the timestamp in the Discovered Time column with
the system clock in the bottom right corner of the Landing Desktop to determine how
long it has been since the appliance was discovered.
Instructions
1. From VMware ESXi, click Virtual Machines in the

Navigator pane.
2. Right-click the name of ECV-2 in the list of virtual machines and click Edit Settings..

INSTRUCTOR VERSION
3. In the Hardware Configuration section, click

the disclosure triangle next to each of the
four network adapters to show their settings
– including the MAC address..
4. Review each network adapter’s settings, and

then record the last two digits of each MAC
address in the following table.
ECV-2 Information
Network MAC Address

1 SW 01 - Management mgmt0
2 SW 06 lan0
3 SW 08 wan0
4 SW 11 wan1
 ECV-2 is already installed, but not completely configured. The next few steps show
another method for determining the mgmt0 IP address of an EC-V.
5. In VMware ESXi, open a console

for ECV-2 in a new tab. (Console >
Open console in new tab)
6. The IP address is at the top of the

console window. If the address is
not present, notify your instructor.

INSTRUCTOR VERSION
7. Record the DHCP IP address of ECV-2’s mgmt0 interface: __________________
your keyboard to release the cursor. If you’re using a Mac computer, enter CTRL+Option.

9. Open a new tab in Google Chrome on the Landing
Desktop.
enter ECV-2’s mgmt0 DHCP IP address instead of using the bookmark, be sure to
enter https:// before the IP address.
a. Username: admin
b. Password: admin
14. Click Login to open the
Initial Config Wizard.
If the Initial Config

Wizard doesn’t
automatically appear
after you log in, click
Configuration 
System &
Networking  Initial
Config Wizard on the
appliance’s menu to
open it.

INSTRUCTOR VERSION
 You might need to zoom out on the Landing Desktop browser to see the Initial Config
15. Enter ECV-2 in the Appliance Hostname field.
16. Assign the correct MAC

address to each interface
based on the ECV-2
Information table you
completed during a previous
task.
17. From the License.txt file,

copy the account name and
account key, and then paste
them into the related
Registration fields.
18. Deselect the Orchestrator

SSL Cert Check box.
19. Click Save on the

Configuration Wizard window.
20. Click Yes, reboot now in the Confirm window.
Task 4: Record the MAC Addresses of ECV-3’s

Network Adapters
Navigator pane.
23. Click the name of ECV-3 in the list of virtual machines.

INSTRUCTOR VERSION
24. In the Hardware Configuration

section, click the disclosure
triangle next to each of the four
network adapters to show their
settings.
25. Review each network adapter’s settings, and then record the last two digits of each
MAC address in the following table.
ECV-3 Information
Network MAC Address

2 SW 06 lan0
3 SW 09 wan0
4 SW 10 wan1
5 SW 11 wan2

INSTRUCTOR VERSION

26. In VMware ESXi, open a console for
ECV-3 in a new tab. (Console > Open
console in new tab)
27. The IP address is at the top of the

console window. If the address is not
present, notify your instructor.
28. Record the DHCP IP address of ECV-

3’s mgmt0 interface:
__________________

30. Open a new tab in Google Chrome on the Landing Desktop.
a. Username: admin
b. Password: admin
35. Click Login to open the Initial Config Wizard. If the Initial Config Wizard doesn’t
automatically appear after you log in, click Configuration  System & Networking
 Initial Config Wizard on the appliance’s menu to open it.

INSTRUCTOR VERSION
36. Enter ECV-3 in the Appliance

Hostname field.
37. Assign the correct MAC address to

each interface based on the ECV-3
Information table you completed
during a previous task.
38. From the License.txt file, copy the

account name and account key,
and then paste them into the
related Registration fields.
39. Deselect the Orchestrator

SSL Cert Check box.
40. Click Save on the Configuration

Wizard window.
41. Click Yes, reboot now on the

Confirm window.
42. Close the ECV-3 tab. You don’t need to wait for the EdgeConnect to reboot.

Navigator pane.
44. Right-click the name of ECV-4 in the list of virtual machines and then Edit Settings.

INSTRUCTOR VERSION
45. In the Hardware

Configuration
section, click the
disclosure triangle
next to each of the
four network
adapters to show
their settings.
ECV-4 Information
Network MAC Address

2 SW 13 lan0
3 SW 15 wan0
4 SW 16 wan1

INSTRUCTOR VERSION

47. In VMware ESXi, open a
console for ECV-4 in a
new tab. (Console >
Open console in new
tab)
48. The IP address is at the

top of the console
window. If the address is
not present, notify your
instructor.
49. Record the DHCP IP

address of ECV-4’s mgmt0 interface: __________________

a. Username: admin
b. Password: admin
automatically appear after you log in, click Configuration > System & Networking >
Initial Config Wizard on the appliance’s menu to open it.

INSTRUCTOR VERSION

Hostname field.
58. Assign the correct MAC

address to each interface
based on the ECV-4
Information table you
completed during a previous
task.
59. From the License.txt file, copy

the account name and account
key, and then paste them into
the related Registration fields.
60. Deselect the Orchestrator SSL

Cert Check box.
62. Click Yes, reboot now on the Confirm window.
Learning Check
1) Why do you record the MAC addresses of the virtual network adapters of the ESXi host?
These MAC addresses are each assigned to a specific switchport group which is associated to the local network. These MAC addresses are then
assigned to the physical interfaces during the Initial Config Wizard so that the interfaces are also associated with the correct switchport group.

INSTRUCTOR VERSION
Lab 9: Approve Additional Appliances

Overview
After initial configuration, you will approve each EdgeConnect from Orchestrator. Once you
approve an EdgeConnect, you will complete the Appliance Wizard to define the configuration
for it. Following this process, Orchestrator manages the EdgeConnect appliance. It is best
practice to define a static IP address to manage each EdgeConnect, which you do during this
lab.
Objectives
 Approve ECV-2, ECV-3, and ECV-4 from the Orchestrator.
 Use the previously configured Deployment Profiles with the Appliance Wizard.
 Configure a static IP address for each EdgeConnect SD-WAN appliance’s mgmt0

interface.
Instructions
Task 1: Verify that ECV-2, ECV-3, and ECV-4 Have Finished
Rebooting
1. From VMware ESXi, click Virtual Machines in the Navigator pane.
2. Look at the row for ECV-2 and verify its DHCP IP address is displayed
(192.168.1.42).
3. If instead the IP address field displays “Unknown” or possibly an IPv6 link-local ip

(FE80: . . . .) then the appliance is not finished rebooting or the mac address was
misconfigured in the initial config wizard. Wait a minute and then click the Refresh
button until the DHCP address is displayed.
4. If the DHCP address remains unassigned, Appendix A, Issue #4 describes how to

reset an appliance to its defaults. Then go through the Initial Config Wizard on the
appliance again.

INSTRUCTOR VERSION
5. Repeat steps 1-2 for ECV-3 and ECV-4.
 Verifying that the EdgeConnect appliances have finished rebooting helps to ensure that
Orchestrator shows them as Reachable during a later task.
Task 2: Open Appliances Discovered Tab

6. From Orchestrator, click on the green Appliances
Discovered button to open the Discovered Appliances
tab.
7. Periodically click Refresh Discovery Information until all

appliances are reachable and the approve buttons are green.
It’s not an issue if the IP address field
doesn’t show an entry.
NOTE that it can take 10 minutes or

more for the approve button to turn green after discovery
What if the Appliances Discovered button does not appear after

the previous step?
If an appliance has not been discovered by the Orchestrator 10 minutes after completing the
Initial Config Wizard, follow the instructions in Appendix A, Issue#2 to reboot the appliance –
or notify your instructor.

INSTRUCTOR VERSION
Caution: If any EdgeConnect continues to show Unreachable 10 minutes after

rebooting from the ESXi host, then notify your instructor. SELF-PACED students –
send an email to ‘SASE-Training@hpe.com’ and include your lab access code in the
subject. Please note that this email is monitored Monday – Friday, 9AM – 5:00 PM
PST.

Caution: ECV-2 might not be in the top row of the Discovered Appliances tab.
Verify this before you click Approve. Click on the Appliance header to sort the
appliance column.
8. From Orchestrator’s Discovered Appliances tab, on the row for ECV-2, click the
green Approve button. The row will highlight when clicked as shown for ECV-2 below.
9. Click Skip on the

Upgrade Appliance
window.

INSTRUCTOR VERSION

10. Enter the following settings on page 1:
a. Group: Site 2 - Mumbai
d. City: Mumbai
g. Country: India
11. Click Next on page 1.
12. Click the Deployment Profile drop

down list, and then click Branch
Office EdgeHA MPLS.
a. lan0 (Data) interface: 10.110.20.101/24
b. lan0.131 (Voice) sub-interface: 10.110.23.101/24
c. wan0 (MPLS1) interface: 10.110.108.100/24
d. wan0 next-hop: 10.110.108.1
15. Click Next on page 3. You won’t use loopback addresses during this course’s labs.
16. Ensure the settings for page 4 (some may be preselected):
17. Click Next.

INSTRUCTOR VERSION
18. The following items on page 5 should be pre-selected, if not, then click in each box to
select them:
b. Select Template Groups to be applied to this Site:
should be Done. If one of the operations should fail, click Go Back, and then click
Apply again.
20. When all the operations show Success, click Close on the Appliance Wizard
window.
 After you approve each appliance and complete its Appliance Wizard, several alarms will
appear in the appliance tree including critical alarms about tunnels being down. You can
safely ignore such alarms. The automated process that establishes tunnels between
appliances takes about 5 - 10 minutes to finish. Note that additional tunnel alarms will
appear immediately after EdgeConnect HA is configured but will eventually clear.

Caution: ECV-3 might not be in the top row of the Discovered Appliances tab.
Verify this before you click Approve.
green Approve button. The row will highlight when clicked as shown for ECV-3
below.

INSTRUCTOR VERSION
22. Click Skip on the Upgrade Appliance

window.

a. Group: Site 2 - Mumbai
d. City: Mumbai
g. Country: India
25. Click the Deployment Profile drop down list,

and then click Branch Office EdgeHA -
Internet/LTE. All that is required by using this
Deployment Profile are IP addresses.
c. wan0 (INET1) interface: 10.110.109.100/24
d. wan0 next-hop: 10.110.109.1
e. wan1 (LTE) interface: 10.110.110.100/24
f. wan1 next-hop: 10.110.110.1

INSTRUCTOR VERSION
29. Ensure the settings for page 4 (some may be preselected)::
30. Click Next.
select them:
a. Add Business Intent Overlays to this site:
b. Select Template Groups to be applied to this site:
Apply again.
window.

green Approve button.
35. Click Skip on the Upgrade Appliance window.

INSTRUCTOR VERSION

a. *Group: Site 2 – Mumbai
 Yes, this group is incorrect! - you will change this later in the appliance tree.
d. City: Santa Clara
e. State: California
g. Country: US
38. Click the Deployment Profile drop

down list, and then click Data Center
HA. All that is required by using this
Deployment Profile are IP addresses.
c. lan0.132 (GuestWiFi) sub-interface: 10.110.41.101/24
d. wan0 (MPLS1) interface: 10.110.115.101/24
e. wan0 next-hop: 10.110.115.1
f. wan1 (INET1) interface: 10.110.116.101/24
g. wan1 next-hop: 10.110.116.1

INSTRUCTOR VERSION
42. Ensure the settings for page 4 (some may be preselected):

select them:
b. Select Template Groups to be applied to this site:
Apply again.
window.
Task 9: Configure mgmt0 on ECV-2, ECV-3, and ECV-4 with a Static

IP Address
47. Wait until the appliance is no longer greyed out in the appliance tree.
48. From the Orchestrator’s appliance tree, right-click ECV-2, and then click Appliance
Manager. Orchestrator logs into the admin account of the appliance’s web interface.

INSTRUCTOR VERSION
49. Go to: Administration  Basic Settings  Hostname / IP

check mark.

192.168.1.5/24.
52. Click Apply. A status window with

Applying Hostname/IP changes appears. The update may take a couple minutes to
complete.
53. Click Save Changes in the upper-right area. You might have to wait
for several seconds for this button to appear.
55. Repeat steps 47-54 for ECV-3 and ECV-4.
a. ECV-3: 192.168.1.6/24
b. ECV-4: 192.168.1.7/24
Task 10: Move ECV-4 into the Site 3 – Santa Clara Group
 ECV-4 was configured in the Site 2 – Mumbai group in the appliance tree. It should be at
Site 3 – Santa Clara. You will see how simple it is to change the group for an appliance,
and that it has no effect on the tunnels built on the appliance.
56. Right-click on ECV-4 in the appliance tree.
57. Click on Change Group in the menu.
58. Choose Site 3 – Santa Clara from the

To Group drop-down list.
59. Click OK
 It may take a minute or two for the appliance tree

to reflect the change and display ECV-4 under
Site 3 – Santa Clara.

INSTRUCTOR VERSION
Task 11: Use the Link Integrity Test between ECV-1 and ECV-2
Now that the SD-WAN network is built, you will test the performance on the MPLS
underlay tunnels between ECV-1 and ECV-2.
Caution: The Link Integrity Test is service impacting. Only use this tool during a
scheduled maintenance window.
60. From Orchestrator’s appliance tree press and hold the control key and click to
select only ECV-1 and ECV-2.
61. Open the Link Integrity Test. (Administration

 Tools  Link Integrity Test)
62. Configure these settings for the Link Integrity Test:
a. Bandwidth : 2000
b. Bandwidth : 2000
c. Duration: 10
d. DSCP: any
e. Tunnel (ECV-1): to_ECV-2_MPLS1-MPLS1
f. Tunnel (ECV-2): to_ECV-1_MPLS1-MPLS1
 This uses the MPLS underlay tunnels between

ECV-1 and ECV-2.
g. Test Program: iperf
63. Click Start. Iperf runs for 10 seconds in each direction.

INSTRUCTOR VERSION
64. When the test is done, Orchestrator shows the results:
a. The test runs first in one direction, and then in the other direction.
b. The client side shows what the EdgeConnect sends.
c. The server side shows what the EdgeConnect receives.
d. Each row is one second and shows the amount of data transferred, the
bandwidth, the jitter, and the amount of packet loss.
Learning Check
1) Why did you use Deployment Profiles during this lab?

To speed up the Appliance Wizard process after approving an appliance. In the absence of these profiles, each configuration parameter in the
deployment screen would have to be filled out manually – instead of entering only IP addresses.
2) What happens after you add a second appliance to the SD-WAN?

The Overlay Manager synchronizes the appliances and begins to build tunnels between them.
3) From where did you run the Link Integrity Test?

The appliances at each end are selected in the Orchestrator.
4) What information does the Link Integrity Test provide?

Amount of data transferred bandwidth, jitter, and packet loss.

INSTRUCTOR VERSION
Lab 10: Configure EdgeConnect HA

Overview
In this lab you will configure EdgeConnect High Availability (i.e. EdgeHA) on the appliances
at Site 2. EdgeHA provides redundancy by allowing the two appliances to share each other’s
WAN connections. The EdgeHA architecture means the appliances are running
active/passive. Whichever appliance is the active forwarder for users on the LAN can forward
WAN flows through its directly connected WAN interface(s) and the other appliance’s WAN
interface(s) via an EdgeHA link between the appliances.
This HA connection uses a data path interface—LAN or WAN, not a management interface,
on each of the appliances to establish the connection between them. The appliances route
traffic over this connection.
Objectives
 Configure an EdgeHA connection between ECV-2 and ECV-3.
 Observe the connections made between the devices and the tunnels built across the
connection.
Instructions
Task 1: Enable EdgeConnect HA on ECV-2 and ECV-3
 In this task, you will peer the two appliances by editing the deployments for ECV-2 and
ECV-3 to enable EdgeHA mode, select the EdgeConnect HA interfaces and recalculate
the Total WAN bandwidth and Boost bandwidth.
 EdgeHA can only be enabled from the Orchestrator, not from the appliances.
1. Right-click ECV-2.
2. Select Deployment
3. Check the box for EdgeHA.
4. Close the Edge HA Help pop-up.

INSTRUCTOR VERSION
5. Select ECV-3 as the HA Peer.
6. The wan0 and wan1

interfaces are already in
use on ECV-3. Make sure
to select wan2 as ECV-3’s
HA Link.
wan1
wan2
7. Click the ∑ Calc link.

INSTRUCTOR VERSION
 This updates the Total Outbound and Total Inbound at the bottom of the page to 6,000
kbps. Each appliance needs to be able to handle the total throughput for the outbound
interfaces on both machines since they both have access to all 3 WAN interfaces.
8. On ECV-2 near the top of the

deployment screen, configure the Boost
bandwidth to 6,000 kbps.
9. On ECV-3 in the lower half of the

deployment screen, configure the Boost
bandwidth to 6,000 kbps.
10. Click Save on the Deployment screen to begin

orchestration of the EdgeHA connection.
 Notice that in the appliance tree:

• ECV-2 and ECV-3 show an HA link
• Red critical alarms may appear until
Orchestration completes.
 Although you have applied sufficient Boost licensing to

cover all WAN interfaces in the lab, LTE is strictly
backup, and it wouldn’t be used unless the other
interfaces were down. So, you probably wouldn’t
license the LTE bandwidth for Boost in a production
environment because backup and primary interfaces
are not active at the same time.
Task 2: Configure VRRP for ECV-2

11. From Orchestrator’s appliance tree, select only the
Site 2 - Mumbai group.
12. Open the VRRP tab. (Configuration 

Networking] VRRP)
13. From the VRRP tab, click the edit icon next to ECV-2.
14. From the VRRP - ECV-2 window, click Add VRRP.

INSTRUCTOR VERSION
15. Configure these VRRP settings for ECV-2:
a. Group ID: 1
b. Interface: lan0
c. Virtual IP: 10.110.20.100
d. Priority Config: 254
e. Preemption: Selected
16. Click Save.
Task 3: Configure VRRP on ECV-3

19. Configure these VRRP settings for ECV-3.
a. Group ID: 1
b. Interface: lan0
c. Virtual IP: 10.110.20.100

INSTRUCTOR VERSION
20. Click Save.
21. Close the VRRP tab.
Task 4: Observe the Status of ECV-2 and ECV-3

22. In Orchestrator’s appliance tree, click Site 2 – Mumbai to select only ECV-2 and ECV-3.
23. In Orchestrator, open the Deployment

tab. (Configuration  Networking 
Deployment)
24. In the top-left, click the Details button for ECV-2, and then ECV-3. Click refresh if
needed. It may take a minute or two for the VLANs to display.
25. Click the header of the HA Interface column twice to sort the interfaces by HA status.
You might need to scroll the browser window to the far right to see this column.
 The Interface column that shows that VLAN interfaces have been automatically
configured for ECV-2 and ECV-3. VLANs 100, 101, and 102 are in use (e.g. wan1.102 on
ECV-2). One VLAN is in use for each WAN interface.
 IP addresses have automatically been configured with 169.254.1.x/30 subnets.
 Both ECV-2 and ECV-3 show interfaces with MPLS, LTE and Internet labels, one
appliance making use of the physical wan0 and wan1 connections, and the other making
use of the HA connections. The HA interfaces have automatically assigned vlans – e.g.
wan1.100 or wan2.102. These interfaces are assigned addresses in 169.254.1.X/30
ranges by default.

INSTRUCTOR VERSION
 Remember that only ECV-2 has a physical connection to the MPLS network, even though
ECV-3 shows MPLS1 on the wan2.102 interface. This is because a logical connection has
been created across the HA link so ECV-3 can access MPLS through ECV-2. Similar
connections have been made so ECV-2 can access INET1 and LTE on ECV-3.
Based on the information in the Deployment and Tunnels tabs, which interface on ECV-2
is used to access LTE? _________ INET1? _________
26. On the Orchestrator, open the Interfaces tab (Configuration  Networking 

Interfaces)
27. Click Dynamic.
28. Open the Interfaces tab (Configuration  Networking  Interfaces).
 The VLAN interfaces dynamically created by the Overlay Manager process show up here
also.
Task 5: Observe Tunnel Formation

29. From Orchestrator, open the
Tunnels tab. (Configuration
Networking  Tunnels 
Tunnels)
30. Click on Underlay.
31. Sort on Local IP:Port by clicking the column heading twice to bring the highest
numbered IP addresses to the top.

INSTRUCTOR VERSION
 You can click on the column header Local IP:Port to sort by IP address – click it twice so
the 169.254.1.X interfaces are at the top of the list. Here, the tunnels with 169.254.1.x IP
addresses are displayed at the top. These are tunnels built across the HA interfaces to
machines across the network, but they are reachable via the other HA appliance’s WAN
interfaces and are terminated on the local HA interface IP address.
 Also note the Remote IP:Port column. This shows where the remote ends of the tunnels
are being terminated. Examine your topology diagram. You will see these are WAN
interface IP addresses on other appliances.
32. Click Passthrough in the top right of the Tunnels tab.
33. Again Sort on Local IP by clicking twice on the Local IP column heading to bring the
HA tunnels to the top.
 Note that there are passthrough tunnels built for all the overlays terminating on the HA
interface addresses. There is one passthrough tunnel for each overlay to each WAN
interface on each of the machines in the HA pair.

INSTRUCTOR VERSION
 If you are doing local internet breakout for traffic going over the HA interface to reach a
WAN interface on a neighboring HA device, it may use one of these passthrough tunnels.
We’ll be doing local internet breakout in a later lab.
 Notice that there is not a remote IP. This is because a passthrough “tunnel” is not really a
tunnel. The way the feature works is by utilizing the same mechanisms as the tunnels
which is why it is referenced as a tunnel. So, keep in mind, traffic transiting a passthrough
tunnel will be directed to the next-hop router on the local interface where the passthrough
tunnel connects to the WAN or LAN.
34. Close all tabs except the Dashboard tab.
Task 6: Reconfigure Subnet Sharing Metric so VRRP Master is the

Preferred Route from the WAN
 For inbound traffic to Site 2, you want the VRRP Master (ECV-2) to advertise the best
metric for the LAN subnet – 10.110.20.0/24. You will accomplish this by reconfiguring the
Subnet Sharing metric on ECV-3 from 50 to 60. ECV-2 will remain at the default of 50
and therefore be the preferred route to the advertised LAN subnet.
35. Highlight ECV-3 in the appliance tree.
36. Open the Routes Configuration tab on the Orchestrator. (Configuration 

Networking  Routing  Routes)
37. Click on the edit icon in the first

column of the routes table for
ECV-3.
38. the Metric for automatically

added routes is currently set to
50. Change the metric to 60 and
click Save.
39. Highlight ECV-1 in the appliance tree.
40. Find the routes to the 10.110.20.0/24 network in the Routes table. The route learned
from ECV-2 has a metric of 50 while the route learned from ECV-3 has a metric of 60.

INSTRUCTOR VERSION
 ECV-2 and ECV-3 are both connected to the 10.110.20.0/24 subnet and are both sharing
this prefix with other appliances using subnet sharing. Now that ECV-3 has been
reconfigured with a higher metric, other appliances learning the 10.110.20.0/24 prefix will
prefer the path through ECV-2 because it has a lower metric of 50.
 In the event of a VRRP failover the advertised metric can be changed so that other
appliances prefer the route to the new VRRP master. This can be accomplished by
configuring an IP SLA to monitor the VRRP status of the appliances. IP SLAs can be
used to monitor a variety of inputs which can trigger various types of reactions such as
changing routing metrics, lowering VRRP priority, raising an alarm and many more. For
more information, the configuration of the different types of IPSLAs is covered in the
Advanced SD-WAN Deployments (ASD) course.
Task 7: Reconfigure Default Gateway on TG-2011 to VRRP VIP
 Now that there are two gateways at Site 2, you will need to change the default gateway on
TG-2011 to the VRRP Virtual IP address. TG-2011 will always forward traffic to the same
IP address regardless of which appliance is the VRRP master.
41. From the Landing Desktop, click on the Remote

Desktop icon on the Task Bar to open the
Remote Desktop Connection window
42. Alternatively, from the Landing Desktop, click on

Start and then click on Remote Desktop under
Participant Applications.
43. Choose TG-2011 from the Computer

drop-down in the Remote Desktop
window.
44. Click Connect.

INSTRUCTOR VERSION
45. Click Yes on the Remote Desktop warning that

appears.
46. Close or cancel any windows that appear on

TG-2011’s desktop.
47. From TG-2011 open the Control Panel. (Start

 Control Panel)
Caution: Be sure you click the Start button of TG-2011, not the Landing Desktop.
48. Click on Network and Sharing Center.
49. Click the Data Path connection in the

View your Active Networks section.

INSTRUCTOR VERSION
50. Click on Properties in the Data Path Status window.
51. Click and highlight Internet Protocol Version 4 (TCP/IPv4)

on the Data Path Properties window under This
connection uses the following items.
52. Click Properties.
53. The default gateway currently points to ECV-2’s lan0 interface (10.110.20.101).
54. Change the Default Gateway address to 10.110.20.100 (i.e. VRRP VIP).
55. Click OK on the Internet Protocol Version 4 (TCP/IPv4) Properties window.
56. Click Close on the Data Path Properties window.
57. Click Close on the Data Path Status window.
58. Close the Control Panel window.

INSTRUCTOR VERSION
Task 8: Test VRRP Failover on ECV-2 and ECV-3
 To test VRRP failover, you will traceroute the path from TG-2011 to TG-1011 and
examine the path that it takes, noting that the first hop is ECV-2. Then you will “admin
down” lan0 on ECV-2 and run the traceroute again. This time you will notice that it takes
a different path with ECV-3 as the first hop instead of ECV-2.
59. From TG-2011’s desktop, open the Command Prompt, and then enter the command
tracert 10.110.10.11.
60. The first hop in the path is

ECV-2’s lan0 interface
(10.110.20.101).
61. Right-click ECV-2 in the Orchestrator’s appliance tree, and then click Appliance
Manager.
62. From ECV-2’s interface, go to Configuration  SYSTEM & NETWORKING 

Interfaces.
63. Under Hardware, click

the Admin field of
lan0.
64. Click down in the

drop-down list.
65. Click Apply.
66. Click Save Changes

in the upper right.

INSTRUCTOR VERSION
 Click the refresh button in

order to see the change.
67. Both lan0 and

lan0.131 change to
the down state.
68. From the Orchestrator go

to the VRRP tab and
verify that ECV-3 is the
master. It may take a minute
or so before it fails over the
master role.
69. From the Command Prompt

on TG-2011 press the up
arrow on the keyboard to
bring the traceroute command
back up.
Then press Enter to perform

the traceroute to TG-1011
again. This time the first hop
is the lan0 interface of ECV-3
(10.110.20.102).
70. Return to ECV-2 and

“admin up” lan0. Under
Hardware, click the
admin drop-down for
lan0 and click on up.
71. Click Apply.
72. Click Save Changes.
73. Go back to the VRRP tab and verify when ECV-2 takes back over the master role.
74. After ECV-2 shows it is the VRRP master, go to TG-2011’s command prompt and
press the up arrow on the keyboard to perform the traceroute to TG-1011
(10.110.10.11) again.

INSTRUCTOR VERSION
 Because ECV-2 is back up, has a higher

VRRP priority, and has Preemption
enabled, it will switch back to the VRRP
master state. The traceroute shows the first
hop revert back to ECV-2’s lan0 interface
(10.110.20.101).
Learning Check
1) From where do you configure EdgeHA peers?

Right-click on the appliance in the Orchestrator’s appliance tree and choose Deployment.
2) What is one protocol that may be used to allow hosts on a LAN to have more than one
gateway to the WAN?
VRRP is used on connections to a layer 2 switched LAN. Routing protocols such as BGP and OSPF if connecting to a layer 3 devices on the LAN
can also work.
3) How does VRRP determine which appliance is the VRRP master?

The device with the highest VRRP priority will become the master. All others are backups.
4) Why did you change the default gateway of TG-2011 after configuring VRRP?
The original default gateway pointed directly to ECV-4’s lan0. After reconfiguring, it is now pointing to the VRRP VIP – so it doesn’t matter which
appliance is forwarding, either one can answer for traffic sent to the VIP – depending on which is the VRRP master.

INSTRUCTOR VERSION
Lab 11: Deploy an Appliance Using Zero

Touch Configuration
Overview
Preconfiguration allows you to quickly deploy an appliance by bypassing the 5-step appliance
wizard after approval. You can create an appliance preconfiguration YAML file for an
EdgeConnect in the Orchestrator. You use a physical appliance’s serial number or an
EdgeConnect’s appliance tag, to specify which YAML file the Orchestrator applies to an
EdgeConnect after it is approved. When the Cloud Portal reports a new EdgeConnect to
Orchestrator, you can approve the appliance manually or enable it so that it is automatically
approved after being discovered. In this lab, you will manually approve ECV-5, and then
apply the appliance preconfiguration YAML file which configures it.
Objective
 Create an appliance preconfiguration YAML file.
 Complete the Initial Config Wizard for ECV-5.
 Apply an appliance preconfiguration file to an EC-V to automate its configuration.
Instructions
Task 1: Create a Preconfiguration File for ECV-5
1. From Orchestrator, open the
Preconfigure Appliances tab.
(Configuration  Overlays &
Security  Discovery 
Preconfiguration)
2. Click New on the Preconfigure

Appliances tab.

INSTRUCTOR VERSION
3. Enter ECV-5_Config as the YAML file’s

name.
4. Enter ECV-5_tag in the Appliance Tag field.
5. Click in the default YAML

configuration text field on the right
side, <ctrl>+a to select all of the text,
and then press delete.
6. From the Landing Desktop, open

the DST Lab Files desktop shortcut.
7. Open the
ECV-5_YAML.txt file.
8. Click in the YAML file, and

<ctrl>+a to select all the
text.
9. <ctrl>+c to copy the text,

and then paste it into the
empty text field of the new YAML file
on the Appliance Preconfiguration
window.
10. Click Validate. The message

Preconfiguration is valid should
appear. If not, use the message to
determine the location of the error.
Correct the error, and then repeat this
step.

INSTRUCTOR VERSION
11. Click Save. The file appears in the Preconfigure Appliances list with a status of
Pending Discovery.
12. Close the Preconfigure Appliances tab.

From the Virtual machines tab in the VMware
ESXi, click the name of ECV-5 in the list of
virtual machines.
13. In the Hardware Configuration section, click

the disclosure triangle next to each of the four
network adapters to show their settings.
ECV-5 Information
Network MAC Address

SW 01 -
1 Management mgmt0
2 SW13 lan0
3 SW 15 wan0
4 SW 16 wan1

INSTRUCTOR VERSION
 ECV-5 is already installed, but not completely configured. The next few steps show one
method for determining the mgmt0 IP address of an EC-V.
15. In VMware ESXi, open a console for

ECV-5 in a new tab. (Console > Open
console in new tab)
16. If the IP address is not present at the

top of the console window, notify your
instructor.
17. Record the DHCP IP address of ECV-

5’s mgmt0 interface: __________________
your keyboard to release the cursor. If you’re using a Mac computer, enter
CTRL+Option.
Task 4: Complete the Initial Configuration Wizard for ECV-5

20. Access the Appliance Manager

for ECV-5 from the shortcut in
the EdgeConnect (DHCP)
bookmarks folder in the web
browser.
21. Click through any Google

Chrome security warnings
that might appear.
a. User Name: admin
b. Password: admin

INSTRUCTOR VERSION
23. Click Login to open the Initial

Config Wizard. If the Initial Config
Wizard doesn’t automatically
appear after you log in, click
Configuration  System &
Networking  Intial Config
Wizard to open it.

Hostname field.
25. Assign the correct MAC address

to each interface based on the
ECV-5 Information table you
noted during task 2 and deselect
Orchestrator SSL Cert Check.
26. Copy the account name and

account key, from the
Orchestrator Cloud Portal tab
(Orchestrator  Orchestrator TrainingDemoAcct00000
Server  Licensing  Cloud

Portal) and then paste them into
the related registration fields.
Caution: The appliance tag in the Initial

Config Wizard must match the name
used in the preconfiguration file. The
string “ECV-5_tag” is case sensitive.
27. Enter ECV-5_tag in the Appliance Tag field.

INSTRUCTOR VERSION
29. Click Yes, reboot now on the Confirm window.
30. Close the ECV-5 tab. You don’t need to wait for
the EdgeConnect to reboot.
Task 5: Open Orchestrator’s Discovered Appliances tab

31. From Orchestrator, in the top-right corner, click the
Appliances Discovered button to open the Discovered
Appliances tab.
32. Click Refresh Discovery Information. It’s not an issue if the

IP address field doesn’t show an entry.
Caution: If any EdgeConnect continues to show Unreachable in the Reachability

column after 10 minutes, then reboot the appliance using the instructions in Lab 6,
Task 2.

33. From Orchestrator’s Discovered Appliances tab, on the row for
ECV-5, click Approve.
34. Click Skip on the Upgrade Appliance pop-up window.
Task 7: Apply the Appliance Preconfiguration for ECV-5

35. The Apply Appliance Preconfiguration window appears. The ECV-5_tag Appliance
Tag caused the Orchestrator to show the ECV-5_Config file. The Preconfiguration
and Discovered appliance tags are both ECV-5_tag.
 Note that if you forget to configure the appliance tag in the Initial Config Wizard on the
appliance, you will still be prompted with the Apply Preconfiguration window. Simply
choose ECV-5_Config from the name drop-down and then apply the preconfiguration.

INSTRUCTOR VERSION
36. Before you apply the preconfiguration file, scroll through these lines of YAML code and
answer these questions:
a. What is on lines 61 to 75?

Appliance Info that includes the hostname, group, and address.
b. What is on lines 84 to 86?

The Default Template Group.
c. What is on lines 93 to 98?

A list of the Business Intent Overlays.
d. What is on lines 298 to 341?

Deployment information: Deployment mode, bandwidth, and interface settings.
e. What is on lines 394 and 395?

SD-WAN licensing information and the amount of Boost.
f. What is on lines 446 to 450?

Subnet sharing settings.
37. Click Apply Preconfiguration. The Appliance Preconfiguration Apply Status

window appears.
38. Verify that each item

lists Success, and that
the Status is Success.
If any issues occur,
notify your instructor.
 It takes about 5 minutes for

Orchestrator to apply the
preconfiguration to ECV-5.
This process includes a
reboot of ECV-5.
39. Click Close on the Appliance Preconfiguration Apply Status window.
40. Close the Discovered Appliances tab.
INSTRUCTOR VERSION
Task 8: Configure ECV-5’s mgmt0 with a Static IP Address
 You need to wait for several minutes while Orchestrator synchronizes with ECV-5. When
ECV-5 has a solid icon and text in Orchestrator’s tree view, the synchronization is done.
41. From Orchestrator’s Appliance Tree, right-click ECV-5, and then click Appliance
Manager. Orchestrator logs in the admin account to the web interface of the ECV-5
appliance.
42. Open the Hostname/IP window.

(Administration  Basic
Settings  Hostname / IP)

check mark.

192.168.1.8/24.
45. Click Apply. A status window with Applying Hostname/IP changes appears. If this
continues for more than 1 minute, refresh the Google Chrome window from the
Landing Desktop.
46. Click Save Changes in the upper-right area.
 After several minutes, the Orchestrator’s appliance tree shows the updated static
management IP address for each EdgeConnect.
47. Once Orchestrator’s tree view shows all the

static management IP addresses listed the
DST Lab Topology diagram, you can click
Generate New Key Now when an account
TrainingDemoAcct00000
key notification appears in Orchestrator.

Alternatively, you can go to Orchestrator 
Orchestrator Server  Licensing 
Cloud Portal and click the Generate New
Key button.
 Any additional appliances that are deployed will use the new key.
INSTRUCTOR VERSION
Task 9: Verify ECV-5’s WebSocket Connectivity to the Orchestrator
 Before the Orchestrator and an appliance can fully communicate, they must have a
WebSocket connection. In addition, the appliance and the Orchestrator will also have
WebSocket connections with the Cloud Portal. In the event that the WebSocket directly
from the appliance to the Orchestrator goes down, communication can failover with the
Cloud Portal proxying the WebSocket connection between the two. You can test both
WebSocket connections on the appliance from the Orchestrator’s appliance tree.
49. Right-click on ECV-5 in the appliance tree and click on Connectivity from the menu.
WebSocket tests will be run and the results will be diplayed in the Appliance
Connectivity window.
50. Click Close on the Appliance Connectivity window.
• The top entry indicates the status of the WebSocket connection that traverses the
Cloud Portal.
• The bottom entry shows the WebSocket connection directly between the appliance
and the Orchestrator.
• You may also run an on-demand test from the Appliance Connectivity window.
Task 10: Verify WebSocket Connectivity for All Appliances

51. In the Appliance Tree, Click
on 5 Appliances to
highlight all appliances.
52. From the Orchestrator go to

Administration  Tools 
Monitoring  Reachability
Status.
INSTRUCTOR VERSION
 This table includes the status of both WebSockets and indicates which one is active for
each appliance highlighted in the appliance tree.
 The Fast WebSocket Failover mode was reconfigured to Aggressive for the above
screenshot. This sets the Ping Interval to 10 seconds and Max Idle Time to 60 seconds.
Task 11: Enable Fast WebSocket Failover
 The Cloud Portal has connections to both the Orchestrator and the appliances. Each
appliance also has a WebSocket connection directly to the Orchestrator. In the event that
there is a failure on the direct WebSocket to the Orchestrator, the connection can be
proxied through the Cloud Portal to restore the WebSocket connection between the
appliance and the Orchestrator. In version 9.2 and earlier, legacy failover takes
approximately 10 minutes. The connection can now failover in 30 seconds when
Aggressive Mode is enabled.
53. On the Reachability tab, click on the Change WebSocket Failover Mode button.
INSTRUCTOR VERSION
54. On the Fast WebSocket

Failover Mode screen,
click on the radio button
for Aggressive mode.
55. Click Save.
56. If it is still open, close the

Fast WebSocket Failover
Mode window using the
“X” in the top right corner.
The default mode is

Normal and is
automatically applied to
the Orchestrator after an
upgrade. Normal is
designed for a 60-second
failover with a ping
interval of 20 seconds.
 When should you enable Fast WebSocket Failover? Anytime you want your
appliances to recover from a direct WebSocket failure to the Orchestrator in 30
seconds.
 What is a scenario where you may not want to enable Fast WebSocket Failover? If
you have sites that are connected to the WAN using only LTE connections, the
increased bandwidth usage due to a reduced ping interval can affect performance at
these sites. Also, because LTE is a metered service, an increase in bandwidth usage
means a small increase in cost.
INSTRUCTOR VERSION
Learning Check
1) What is the purpose of the appliance tag?

The appliance tag is the identifier that matches an appliance preconfiguration YAML file to a specific EC-V appliance.
2) Why is it important to validate an appliance preconfiguration file?

This ensures the file does not contain syntax or logic errors.
3) Is it possible to opt out of using preconfiguration after an appliance has been approved?
Yes, from the Appliance Preconfiguration window there is a link in the lower left corner: Run the manual Appliance Wizard.
4) What is the failover / redirection time when the Fast WebSocket Failover Mode is set to
legacy?
Legacy (pre-9.4) = 10 minutes,; Slow = 90 seconds; Normal = 60 seconds; Aggressive = 30 seconds.
5) T/F – you cannot manage an appliance if its direct WebSocket connection fails?
False – The appliance is able to communicate with the Orchestrator through its Cloud Portal WebSocket connection.
INSTRUCTOR VERSION
Lab 12: Configure Traditional HA

Overview
Site 3 - Santa Clara is a data center with ECV-4 and ECV-5 in a Traditional HA reference
architecture configuration. Both appliances have MPLS and broadband internet WAN links. In
this lab, you will configure VRRP and other settings that enable Traditional HA and ensure
deterministic traffic flows that avoid asymmetry.
Estimated Time = 20 minutes
Objectives
 Configure the site name for EdgeConnect appliances.
 Configure VRRP on EdgeConnect appliances.
Instructions
Task 1: Configure the Same Site Name for ECV-4 and ECV-5
 When EdgeConnect appliances are at the same site, they build IPsec UDP underlays
between like labels unless you specify the same site name on each appliance.
1. From Orchestrator’s Appliance Tree,

right-click ECV-4, and then click System
Information.
2. Click System Settings on the System

Information - ECV-4 window.
3. Enter Site 3 - Santa Clara in the Site

Name field.
4. Press the Enter key on your keyboard.
5. Click Save.

right-click ECV-5, and then click System
Information.
7. Click System Settings on the System

Information - ECV-5 window.
INSTRUCTOR VERSION
8. Enter Site 3 - Santa Clara in the Site

Name field.
9. Press the Enter key on your keyboard.
10. Click Save and wait for orchestration to

complete.

click Site 3 - Santa Clara.
12. Open the Tunnels tab. (Configuration 

Networking  Tunnels  Tunnels)
13. Click Underlay on the Tunnels tab, and then

answer this question:
a. Do ECV-4 and ECV-5 have underlay tunnels

between them?
No, because they have the same site name, they don’t have underlay tunnels between them.
14. Close the Tunnels tab.

15. From Orchestrator’s Appliance Tree, select only the
Site 3 - Santa Clara group.
16. Open the VRRP tab. (Configuration  Networking 

VRRP)
19. Configure these VRRP settings for ECV-4.
a. Group ID: 1
b. Interface: lan0
c. Virtual IP: 10.110.35.100
20. Click Save.
INSTRUCTOR VERSION

23. Configure these VRRP settings for ECV-5:
a. Group ID: 1
b. Interface: lan0
c. Virtual IP: 10.110.35.100
24. Click Save.
25. Close the VRRP tab.
Task 4: Reconfigure Subnet Sharing Metric So the VRRP Master Has

the Preferred Route from the WAN
 For inbound traffic to Site 3 - Santa Clara, you want the VRRP Master (ECV-4) to
advertise the best metric for the LAN subnet, 10.110.35.0/24. You will accomplish this by
reconfiguring the Subnet Sharing metric on ECV-5 to 60. ECV-4 will retain the default
of 50 and be the preferred route to the advertised LAN subnet.
26. Highlight ECV-5 in Orchestrator’s appliance

tree.
27. Open the Routes tab. (Configuration >

Networking > Routing > Routes)
28. Click the edit icon in the first column of the

routes table for ECV-5.
29. The metric for automatically

added routes is currently set to
50. Change the metric to 60
and click Save.
INSTRUCTOR VERSION
30. Highlight ECV-1 in Orchestrator’s appliance tree.
31. Use the Search field to find the routes to the 10.110.35.0/24 network in the Routes
table. The route learned from ECV-4 has a metric of 50, while the route learned from
ECV-5 has a metric of 60.
 ECV-4 and ECV-5 are both connected to the 10.110.35.0/24 subnet and share this prefix
with other appliances using subnet sharing. Now that ECV-5 has been reconfigured with
a higher metric, other appliances learning the 10.110.35.0/24 prefix will prefer the path
through ECV-4 because it has a lower metric of 50.
 In the event of a VRRP failover, you can change the advertised metric so that other
appliances prefer the route to the new VRRP master. This can be accomplished by
configuring an IP SLA to monitor the VRRP status of the appliances. IP SLAs can be
used to monitor a variety of inputs which can trigger various types of reactions such as
changing routing metrics, lowering VRRP priority, generating an alarm, and many more.
For more information, the configuration of the different types of IP SLAs is covered in the
Advanced SD-WAN Deployments (ASD) course.
Task 5: Reconfigure Default Gateway on TG-3511 to VRRP VIP
 Now that there are two gateways at Site 3, you will need to change the default gateway on
TG-3511 to the VRRP Virtual IP address. TG-3511 will always forward traffic to the
same IP address regardless of which appliance is the VRRP master.
32. From the Landing Desktop, click on

the Remote Desktop icon on the Task
Bar to open the Remote Desktop
Connection Window.
33. Alternatively, from the Landing or

Desktop, click on Start, and then click
Remote Desktop under Participant
Applications.
INSTRUCTOR VERSION
34. Choose TG-3511 from the Computer drop-down in the Remote Desktop window and
click Connect.
35. Click Yes if the Remote Desktop

warning box that pops up.
36. Close or cancel any windows that appear

on TG-3511’s desktop.
37. From TG-3511 open the Control Panel,

click Start  Control Panel. You may
have to scroll down in the TG-3511
window in order to view the bottom of the
desktop.
Caution: Be sure you click the Start button of TG-3511 and not the Landing
Desktop.
38. Click Network and Sharing

Center.
INSTRUCTOR VERSION
39. Click on Data Path under

View Your Active Networks.
40. Click on Properties in the

Data Path Status window.
41. Click on and highlight Internet Protocol

Version 4 (TCP/IPv4) on the Data Path
Properties window under This connection
uses the following items.
42. Click Properties.
 Currently, the default gateway is

pointing to ECV-4’s lan0 address.
INSTRUCTOR VERSION
43. Change the Default Gateway address to 10.110.35.100 (VRRP VIP).
44. Click OK on the Internet Protocol

Version 4 (TCP/IPv4) Properties
window.
45. Click Close on the Data Path Properties

window.
46. Click Close on the Data Path Status

window.
47. Close the Control Panel window.
Learning Check
1) Why do you configure Traditional HA peers to use the same Site Name?
The Overlay Manager will not build SD-WAN tunnels between appliances that are at the same site.
2) When would you use VRRP in an EdgeConnect SD-WAN?

Reference architectures: Traditional HA, EdgeHA.
3) Why would you choose to use VRRP preemption?

Preemption ensures that an EdgeConnect is the master when it’s operational.
INSTRUCTOR VERSION
Lab 13: Modify Business Intent Overlays

Overview
Previously, you used the default settings for the four preconfigured Business Intent Overlays
(BIOs). During this lab, you modify the BIOs’ SD-WAN Traffic to Internal Subnets settings and
their Breakout Traffic to Internet & Cloud Services settings. You then use a CIFS session as
a test. In a production network, the BIOs will be configured to support the requirements for
the applications being used on the network.
Objectives
 Distinguish between passthrough traffic, backhauling internet traffic via an overlay, and
local internet breakout.
 Configure a BIO’s Peer Unavailable Option to enable passthrough traffic.
 Configure necessary settings for backhauling internet traffic.
 Configure local internet breakout.
Instructions
Previously, you reviewed the default settings of the four preconfigured BIOs. As you recall,
the default settings use interfaces that the EdgeConnect appliances don’t have (INET2 &
MPLS2).
Task 1: Modify the RealTime BIO

1. From Orchestrator’s appliance tree, click 5
Appliances.
2. Open the Buiness Intent Overlays tab.

(Configuration  Overlays & Security 
Business Intent Overlays)
3. Open the SD-WAN Traffic to Internal Subnets tab of the RealTime BIO.
INSTRUCTOR VERSION
 An overlay uses the SD-WAN Traffic to Internal Subnets settings to reach internal
destinations that match the subnets in the Internet Traffic Definition. SD-WAN traffic
includes breakout traffic backhauled to an EdgeConnect hub.
4. Remove unused interfaces by dragging and dropping these interfaces from the
Primary field to the Available Interfaces field:
a. INET2
b. MPLS2
 None of the EdgeConnects in this lab have these interfaces.
5. Click the Add Backup if Above Are drop-down list, and then click Not Meeting
Service Levels.
6. Enter these Service Level Objective values:
a. Loss: 2%
b. Latency: 100 ms
c. Jitter: 0 ms Not configured
7. Click the Peer Unavailable Option drop-down list, and then click Use MPLS1.
 In the event that an EdgeConnect doesn’t have a route

via an overlay for a destination IP address, it invokes
the Peer Unavailable Option. MPLS is typically
considered secure, whereas sending unencrypted
traffic over the Internet is not considered secure.
Therefore, by configuring the Peer Unavailable Option
to Use MPLS1, each EC-V can still reach TG-11411 (10.110.114.11).
8. Click the Breakout Traffic to Internet & Cloud Services tab.
9. Remove the unused primary interface identified below by dragging and dropping it
from the Primary field to the Available Interfaces field.
a. INET2
INSTRUCTOR VERSION
10. Enter these Performance Threshold values:
a. Loss: 2%
b. Latency: 100 ms
c. Jitter: 0 ms Not configured
11. Click the box for Threshold-based Failover.
 ECV-1, ECV-3, ECV-4, and ECV-5 can now perform

local internet breakout from their INET1 interfaces. If the
performance of their INET1 interface exceeds
performance threshold values for loss or latency, they
switch from INET1 to LTE for local internet breakout. If
no interfaces meet the performance thresholds, the
appliances refer to the Preferred Policy Order.
 ECV-2 doesn’t have INET1 or LTE interfaces and can’t perform local internet breakout.
So, it tries to use the Backhaul Via Overlay option in the Preferred Policy Order.
12. Click OK on the Overlay Configuration window.
Task 2: Modify the CriticalApps BIO

13. Repeat steps 3-12 for the CriticalApps BIO.
 You will now add a rule to the Overlay ACL of the CriticalApps BIO. By default, CIFS
matches the DefaultOverlay.
14. Return to the SD-WAN

Traffic to Internal
Subnets configuration tab.
15. Click the Overlay ACL’s

edit icon next to the
match criteria field.
16. Click Add Rule on the Associate ACL window.
INSTRUCTOR VERSION
17. Click the edit icon next to the

Match Everything rule.
18. Click the Application checkbox and type

“cifs” in the application field.
19. Click on Cifs_smb in the Application

drop-down.
 Note – if you do not click on the application

from the drop-down, even though it is typed
into the application field correctly, the
application will not be recognized. You must
select the application from the drop-down.
20. Click Save on the Match Criteria window.
21. Click Save on the Associate ACL window.
22. Click the Boost drop-down list, and then click Enabled.
Task 3: Modify the BulkApps BIO
 During this task, you will modify the BulkApps BIO, and change its topology to Hub &
Spoke.
24. Repeat steps 3-12 for the BulkApps

BIO.
25. Click Mesh in the Topology field.
26. Click Hub & Spoke to change the

topology.
27. From the SD-WAN Traffic to Internal Subnets tab, click the Boost drop-down list,
and then click Enabled.
INSTRUCTOR VERSION
Task 4: Modify the DefaultOverlay BIO

29. Repeat steps 3-12 for the DefaultOverlay BIO.
30. Click the Boost drop-down list, and then click Enabled.
32. Click Save and Apply Changes to Overlays on

the Business Intent Overlays tab.
33. Click Save on the Confirm Changes window.
34. Click Orchestration ETA: <1m, 5 sites in the

upper-right corner of Orchestrator’s interface.
The time orchestration take to complete can vary.
35. When the orchestration is done for every

EdgeConnect, click Close.
 The Orchestrator pushed the BIO configuration changes to the EdgeConnect appliances.
36. Close the Business Intent Overlays tab.
Task 5: Configure ECV-1 as a Hub
 ECV-1 has MPLS, INET, and LTE WAN interfaces. If you add ECV-1 as a hub, it acts as a
hub for every overlay that Orchestrator applies to it. Therefore, ECV-2 can backhaul
internet traffic to ECV-1.
37. Click on the Hubs link from the

BIOs configuration tab. You can
also access it from the
Orchestrator’s configuration menu
(Configuration  Overlays &
Security  Hubs) ECV-1
38. Click in the Type to select field,

and then click on ECV-1 in the drop-
down menu.
39. Click Add Hub.
40. Click Confirm on the Add Hub pop-up window.
INSTRUCTOR VERSION
 The Overlay manager performs orchestration to push this configuration change to ECV-1
and synchronize with the other appliances.
41. Click the refresh button on the Hubs tab to see the updated hubs table that shows
ECV-1 if it doesn’t appear automatically.
a. For which overlays is ECV-1 a hub?

It’s a hub for all four preconfigured BIOs: RealTime, CriticalApps, BulkApps, and DefaultOverlay.
42. Close the Hubs tab.
Task 6: View the Topology of the Overlay Tunnels

43. Open the Topology tab. (Monitoring  Summary 
Topology)
44. Click the All Overlays drop-down list, review the topology map
for each overlay, and then answer these questions:
a. What is different about the BulkApps overlay’s topology than the other overlays?
BulkApps has a Hub & Spoke topology.
b. Which topology do the other overlays have?

Mesh topology.
45. Close the Topology tab.
Task 7: Ping from TG-3511 to UBU-1
 During this task, you test local internet breakout via ECV-4.
46. From the Landing Desktop, open a remote desktop window for TG-3511. (Start >
Remote Desktop Connection  TG-3511  Connect)
47. From Orchestrator’s tree view, click 5 Appliances to select all of the EdgeConnect
appliances.
48. Open the Flows tab. (Monitoring 

Bandwidth  Flows  Active & Recent
Flows)
49. From Orchestrator’s Flows tab, enter 11.1.1.11 in the IP/Subnet filter field.
50. Click Apply.
INSTRUCTOR VERSION
51. From TG-3511, open a Command Prompt window.

52. Enter ping 11.1.1.11 at the Command Prompt. The
ping works.
53. From the Flows tab, click the refresh button .

54. Click the Flow Detail icon for the flow that is present.
55. Answer these questions:

a. Which overlay does the ping match?
DefaultOverlay
b. What is the Tx Reason?

primary. (The primary interface for local internet breakout is wan1 / INET1 / 10.110.116.101.)
c. What is the WAN routing?

Passthrough_INET1_DefaultOverlay (nexthop_10.110.116.1_wan1). (Breakout via INET1 to 10.110.116.1.)
Task 8: Open a CIFS Connection Between TG-2011 and UBU-1
 During this task, you will test backhauling CIFS breakout traffic via ECV-2.
 In the ReadyTech environment, UBU-1 (11.1.1.11) represents a system on

the Internet.
56. From TG-2011, open the UBU-1 Files desktop shortcut.
57. From Orchestrator’s Flows tab, click the refresh button .
 There will now be a Cifs_smb flow using the Passthrough_INET1_CriticalApps tunnels

inbound and outbound. Being a file transfer application, Cifs_smb would probably be
placed in the BulkApps BIO which lists several file sharing applications in its Overlay ACL.
When configuring the CriticalApps Overlay, a rule permitting Cifs_smb in the Overlay ACL
was created. That’s why this traffic is now using the CriticalApps BIO.
flow details
INSTRUCTOR VERSION
58. Click the Flow Detail icon to view additional information about either flow via ECV-
2, and then answer these questions:
a. What is the flow direction?

Outbound.
b. What is the ingress interface?

Ingress interface = lan0.
c. Which BIO was matched?

CriticalApps
d. Which rule was matched in the BIO?

ACL Rule 1180 = the one created to permit port 445, Cifs_smb.
59. Close the Flow details window.
 ECV-2 is the VRRP master receiving the traffic from TG-2011. Because of the
EdgeConnect HA link to ECV-3, ECV-2 is able to forward the traffic as passthrough
across the EdgeHA link to ECV-3 and then out the INET1 interface on ECV-3.
Learning Check
1) How does the topology change to Hub & Spoke for the BulkApps BIO affect its tunnels?
IPsec UDP underlay tunnels are established from ECV-2 and ECV-4 to the hub, ECV-1.
2) Why would the RealTime BIO have Boost disabled?

RealTime applications are UDP-based and would not benefit from TCP acceleration.
3) Cifs_smb is a file transfer protocol. Why did this traffic match the CriticalApps BIO?
A rule permitting (Cifs_smb) port 445 was added to the overlay ACL in the CritricalApps BIO.
4) Besides changing the topology type in the BIO, what else is required to create a Hub &
Spoke topology?
At least one appliance must be configured as the hub for this topology.
INSTRUCTOR VERSION
Lab 14: Monitor Flows

Overview
Monitoring flows from Orchestrator is essential to understand how traffic flows through your
SD-WAN. All of the details of each flow are located in the Flow Details. This includes, but is
not restricted to the route map, the BIO, the configured transmit and receive actions, zone-
based security rules, and segments. In this lab you will open an FTP file sharing connection
between TG-1011 at Site 1 - Singapore and TG-2011 at Site 2- Mumbai. You will then view
the flow and use built-in trend-charting functions and usage displays.
Objectives
 Identify flows.
 Examine flow details.
 Identify which overlay and underlays a flow uses.
 Use monitoring features that show trend charts.
Instructions
Task 1: Open an FTP Session Between TG-1011 and TG-2011
1. From Orchestrator’s tree view, press and hold the control key to select ECV-1 and
ECV-2.
2. From the Flows tab, click Clear.
3. Enter 10.110.10.11 in the IP/Subnet field.
4. Verify that only Active is selected. If not, click

Ended to deselect it so that only active flows
appear.
5. Click Apply.
INSTRUCTOR VERSION
6. From the Landing Desktop, open a remote desktop window for TG-1011. (Start 
Remote Desktop Connection  TG-1011  Connect)
7. Open the FileZilla app on TG-1011.
8. From FileZilla’s QuickConnect

drop-down, click on
anonymous@TG-2011.
 You will see information scrolling in

the top of window the FTP window.
Green font usually indicates the
connection is establishing as
expected. You should see “Directory
listing successful” when connected.
Task 2: View the FTP Flows Between TG-1011 and TG-2011

9. From Orchestrator’s Flows tab, click the refresh button .
10. Highlight ECV-1 and ECV-2 in the appliance tree.
11. Click on the Flows tab to view ECV-1 and ECV-2 flows.
12. Click on Flow Details for the FTP flow via ECV-1, then ECV-2 and review the
output.
13. Answer these questions:
a. Which overlay did the FTP flows match?

BulkApps
b. What is the Flow Direction for each flow?

ECV-2 = Outbound. ECV-1 = Inbound
c. Which overlay tunnel does the outbound flow via ECV-1 use?
Outbound: to_ECV-2_BulkApps. Inbound: to_ECV-2_BulkApps.
d. Which overlay tunnel does the inbound flow via ECV-2 use?
Inbound: to_ECV-1_BulkApps. Outbound: to_ECV-1_BulkApps.
14. Close the Flows tab.
INSTRUCTOR VERSION
Task 3: View the Tunnels for the FTP Flows
15. Open the Tunnels tab. (Configuration

 Networking  Tunnels 
Tunnels)
16. Click Underlay on the Tunnels tab.
17. Enter BulkApps in the Search field at the right

side of the Tunnels tab.
18. How many underlay tunnels does the BulkApps overlay use?
21 underlay tunnels (21/27 Rows).
19. If you want to find underlay tunnels with a down status on the Tunnels tab, how can
you identify them?
Status drop-down menu. Click the Status column to show down underlays at the top.
20. Close the Tunnels tab.
Task 4: View the FTP Session with Monitoring Features

21. From the Filezilla FTP
window, click and drag the
5_Trading.mdb file in the
Remote Site pane of the
FileZilla window onto TG-
1011’s desktop. This
starts a file transfer with
FTP traffic you can view in
the Flows tab.
INSTRUCTOR VERSION
22. Highlight ECV-1 and ECV-2 in the appliance tree.
23. Open the Tunnel Bandwidth Trends tab. (Monitoring  Bandwidth  Tunnels
 BW Trends)
24. Verify that the boxes are active and show

these colors.
a. If any colors are pale, they are inactive,

and their data won’t appear in the graphs.
25. Select these options on the Tunnel BW Trends tab:
a. Real Time
b. BulkApps
c. Outbound
26. Click the refresh button .
27. The graph for to_ECV-2_BulkApps(ECV-1) shows the data that flows from TG-1011
to ECV-1 to ECV-2 on its way to TG-2011.
28. The graph for to_ECV-1_BulkApps(ECV-2) shows the data that flows from TG-2011
to ECV-2 to ECV-1 on its way to TG-1011.
29. Click Show Underlays below the graphs. These graphs show the data for the
underlays that carry the FTP flows.
INSTRUCTOR VERSION
30. Click Close.
31. Click Monitoring  Bandwidth 

Appliances  BW Trends to open the
Appliance BW Trends tab.
32. Select these options on the Bandwidth Trends

tab:
a. Real Time
b. All Traffic
c. Outbound
33. Click the refresh button .
34. The graphs show the overall bandwidth usage for ECV-1 and ECV-2.
INSTRUCTOR VERSION
 A strength of EdgeConnect SD-WAN is its monitoring options. You can monitor the charts
for trend analysis over time. Some monitoring features have real-time view options, while
others display data after one hour or more.
35. Close the Tunnel BW Trends tab and the Appliance BW Trends tab.
Task 5: Close the FTP Session

36. Go to the TG-1011 RDP window.
37. Close FileZilla.
38. If a file transfer is still in progress, click Yes

on the Close FileZilla window.
Task 6: Erase Network Memory for ECV-1 and ECV-2
 Erasing network memory for an appliance is a tool you can use to measure baseline
performance against which you can measure the performance of an EdgeConnect
appliance’s populated disk cache. Don’t use this outside of a scheduled maintenance
window because it negatively affects performance until EdgeConnect rebuilds its disk cache.
39. From Orchestrator’s tree view, select only ECV-1 and ECV-2.
40. Click Administration  Tools  Erase

Network Memory.
41. Click Erase

Network
Memory.
42. Click Close after the appliances have erased their network memory.
INSTRUCTOR VERSION
Learning Check
1) What useful information does a flow detail provide?

Route policy, overlay matched, Tx / Rx information, WAN / LAN routing information, security / firewall information.
2) Why would you use the Tunnel Bandwidth Trends tab?

It shows bandwidth through the overlay between two appliances. You can also see the bandwidth for the underlays the overlay uses.
3) Why would you use the Bandwidth Trends tab?

It shows the amount of LAN and WAN bandwidth that an EdgeConnect uses over a period of time.
4) When is it appropriate to use the Erase Network Memory feature?

During a maintenance window to establish baseline performance measurements: empty disk cache vs. full disk cache.
INSTRUCTOR VERSION
Lab 15: Run a Report

Overview
An organization’s teams and leadership use reports to make business decisions. In this lab,
you will create, schedule, and view a custom report.
Objectives
 Create a report.
 Schedule a report.
 View a report.
Instructions
Task 1: Create a Report
1. From Orchestrator’s appliance tree, click 5 Appliances to highlight all appliances.
2. Open Schedule & Run Reports. (Monitoring 

Reporting  Schedule & Run Reports)
3. Click New Report.
4. Enter Training as the report’s name.
5. Click Save.
6. Configure the Training report with these options:
a. Appliances in Report: Use Tree Selection
b. Email Recipients: student@training.local
c. Traffic Type: All Traffic
d. Application Charts:
 Application Bandwidth
 Application Pie Charts
INSTRUCTOR VERSION
e. Tunnel Charts:
 All Overlays b
a
 Health Map
 Flow Counts
 Loss c e
 Latency f
d
f. Appliance Charts
 Top Talkers
 Top Domains
 Top Countries
7. Click Save.
Task 2: Schedule a Report

8. Verify that Run Scheduled Report is selected.
9. Click Edit next to

the Run Scheduled
Report box.
10. Configure these scheduled report options:
a. Daily
b. Every day
c. Time: 03:00
d. Starting On: (Click the calendar

icon .)
 Current date
 10 minutes from now
11. Click OK on the Schedule window.
12. Click Save on the Schedule & Run Reports tab.
INSTRUCTOR VERSION
Task 3: Run an On-demand Report

13. Click Run Single Report with Custom
Time Range.
14. Click the left-side field and set the start

time field to yesterday’s date at 08:00.
15. Click Done.
16. Click the right-side field, and then click

Now.
17. Click Done.
18. Click Run Now below the Scheduled or Single Report

section. While Orchestrator generates the report, it
shows a spinning circle icon and a Stop button. When
Orchestrator has generated the report, it shows a
success message at the bottom of the window.
Task 4: View the On-demand Report

19. Click View Reports at the top of the
Schedule & Run Reports tab.
20. Click the download icon to the right of the Hourly report. Google Chrome shows a
download notification in the top-right corner .
21. Go to the Downloads folder on the Landing Desktop and click to open on the
Hourly Training report.
INSTRUCTOR VERSION
 By default, the Daily report statistics are summarized once per day over a 14-day
period. The Hourly report summarizes statistics every hour over a 24-hour period.
The time period for each report is configurable.
 The statistics recorded in your lab may show different values than the example
screenshots.
22. Page 1 shows the Health Map.
23. Page 2 shows Application Pie Charts. Answer these questions:
a. What is the top application for Outbound LAN?

Cifs_smb or ICMP is probably the top application.
b. What is the top application for Outbound WAN?

ICMP or TCP are probably the top application.
24. Page 3 shows Application Bandwith and Loss.
INSTRUCTOR VERSION
25. Page 4 shows Loss.
26. Page 5 shows Latency.
27. Page 6 shows Tunnel Flow Counts. Answer the following question:
INSTRUCTOR VERSION
a. Which tunnel has the highest Max TCP flows?

to_ECV-2_DefaultOverlay (this may vary from lb to lab if students did any extra file transfers or pings).
28. Page 7 shows Top Talkers by IP Address.
29. Pages 8 and 9 show an Orchestrator Report Summary.
30. Close the View Reports tab.
31. Close the Schedule & Run Reports tab.
INSTRUCTOR VERSION
Learning Check
1) With what data granularity can you run reports?

Daily (14 days default) and hourly (24 hours default).
2) What types of charts can a report show?

Application charts, tunnel charts, and appliance charts.
3) T/F: The reports may be downloaded on the Orchestrator or emailed to specified

recpients.
True – you can view the downloaded report or access it via email.
 You have reached the end of the labs for this course.
INSTRUCTOR VERSION
Appendix A: Solutions to Common Issues

Issue #1: Restarting Orchestrator
Only follow these steps if Orchestrator’s web interface fails to load in the web browser. If
needed, ask your instructor for assistance.
32. From the Landing Desktop, open VMware ESXi (https://esxihost) in Google Chrome.
33. Click Virtual Machines in the Navigator pane.
34. Click the checkbox next to

Orchestrator in the list of virtual
machines.
35. Click Actions > Power > Reset.
36. Click Orchestrator in the list of virtual

machines.
37. Click the Orchestrator’s console window.
38. Verify that Orchestrator reboots and returns to the Orchestrator login prompt.
39. Open Google Chrome on the Landing Desktop to https://192.168.1.254.
INSTRUCTOR VERSION
Issue #2: Rebooting an Appliance from the ESXi Host
 If the appliance does not display an ip address in the VMware ESXi host.
 If an appliance has not been discovered by the Orchestrator 10 minutes after completing
the Initial Config Wizard, then you will need to reboot the appliance.
1. Go to Virtual machines on the ESXi host. Click the checkbox next to the appliance.
2. On the menu bar at

the top of the Virtual
Machines window,
click Shut down.
3. After a few seconds

click Power off.
Then answer Yes
on the power off
warning pop-up.
4. After a few seconds,

click the Power on
button.
It will take a couple minutes for the appliance to reboot. To verify network services have
restarted, click the Refresh button to verify the appliance has obtained an IP address.
Then go back to the Discovered Appliances tab in the Orchestrator. After a couple
minutes, the appliance should appear.
INSTRUCTOR VERSION
Issue #3: Resolving Non-English Keyboard Issues

If you find that your keyboard entries cause incorrect characters to appear on the screen, you
might need to use the on-screen keyboard.
1. Navigate to the ReadyTech lab web

browser window.
2. Click the Readytech Desktop menu >

Enable Viewer Toolbar.
3. Click the Settings icon >

Keyboard > Send Unicode
virtual key codes from the When
keys are pressed menu.
4. Click Save.
5. Click the Keys icon > Open onscreen keyboard.
Issue #4: Unable to access EC-V after reboot following Initial

Configuration Wizard
Due to changes to the default deployment mode functionality, after you reboot an
EdgeConnect following the Initial Configuration Wizard, you can’t access it via HTTP/HTTPS
until you approve its registration from Orchestrator. If you applied the incorrect license
account name and / or account key, or you assigned the incorrect MAC addresses to the
EdgeConnect appliance’s interfaces, follow these steps:
1. From VMware ESXi, open a console window for the EdgeConnect.
2. Press F1 to start a command line interface (CLI).
 With some keyboards, you might need to enter the Fn (Function) key and the F1 key
together.
INSTRUCTOR VERSION
3. Enter the username admin and the password admin.
4. Enter enable at the command prompt.
5. Enter configure terminal.
6. Enter reboot empty-db.
 This command resets the EdgeConnect to factory default settings.
7. After the EdgeConnect is done rebooting, note the IP address at the top of the console
window.
 You need to wait about 2 minutes before the EdgeConnect accepts HTTPS connection
attempts.
8. Open a Google Chrome tab, enter the https:// followed by the IP address from step 7,
and then press Enter.
10. Log in to the EdgeConnect with these credentials:
a. User Name: admin
b. Password: admin
automatically appear after you log in, click Configuration > System & Networking >
Intial Config Wizard on the appliance’s menu to open it.
Issue #5: Lab Is Frozen

From time to time, there may be brief periods of unresponsiveness in the lab where the
screen is frozen and you are unable to change browser tabs. If the lab remains frozen for
more than a minute or so, or if there are continued periods of freezing that is impacting your
ability to do the labs, then you can reboot the entire lab.
1. You reboot the lab from the main Lab Portal screen using the menu in the blue
bar at the top. Click on Lab > Actions > Hard Reboot.
INSTRUCTOR VERSION
2. Click the checkbox next to the Lab name and and then click OK.
 It will take approximately 15 minutes for the lab to reboot and become accessible again.
When rebooting, the status icon will change to a red downward pointing arrow. After a few
minutes, the status will change to up and green. You will want to wait 3 – 5 more minutes
after the status changes to up before attempting to access the lab again as the network
services will be starting on the landing desktop. If you attempt to login but end up back on
the main portal window, then the landing desktop is not yet ready. Try again in a minute.
INSTRUCTOR VERSION
Appendix B: Getting Support

ReadyTech Response Time
Contact ReadyTech for: ReadyTech Support is
available 24 hours, 7 days a
 Problems redeeming a voucher (instructions above) week. Questions are usually
responded to within a couple
 Lab never comes up after a few hours. hours.
 Lab seems to have gone down or you cannot reconnect.
 Pre-installed virtual machines that aren’t operating in

VMware ESXi when you first log into the lab.
1. Click on the Support link

a. Available options are:
 Live Chat (very responsive)
 Email: get-support@readytech.com
 Contact by telephone
 24x7 support
Contact SASE Training Support for:

HPE Aruba Networking
 Instructional videos Response Time
 Course material or lab instructions Expect a response within one

business day.
 Configuration of the Orchestrator or EdgeConnect Mon-Fri, 9am – 5pm Pacific Time

VMs.
1. Click to email: SASE-Training@hpe.com A new email should open in your

application
2. Compose your email
3. In Subject: Replace TYPEissue with a short description of your issue

Example Subject Lines:
A) LAB# 98765432 - DST – Setup script failed
B) LAB# 14377722 - AASD – Can’t get IP Address on ECV-4
4. In the body, include your:

 LAB ACCESS CODE
 Position in lab guide:
A) Lab#
B) Page#
C) Step#
 Screenshot(s)
INSTRUCTOR VERSION
Appendix C: Summary of Orchestrator and EC-V Appliances
INSTRUCTOR VERSION
Appendix D: User IDs and Passwords Lab Access Code
System/Platform User Password Notes
Windows PC. Access other devices

Landing Desktop Administrator Speak-123 from it.
Access via Google Chrome from

VMware ESXi web client admin Speak-123 the Landing Desktop.
Orchestrator admin Speak-123 Initial default password: admin
EdgeConnect appliances
(ECV-1, 2, 4, and 5) admin Speak-123 Initial default password: admin
Traffic Generator PCs Traffic generator PCs at each site –

(TG-1011, TG-2011, TG-3511, TG-11411) Administrator Speak-123 best to use RDP to access.
student (UBU-1)
FTP servers anonymous (TG-XX11) Speak-123 (both) Use the Quickconnect button.
hMail Server Provided by hMail Server. Speak-123 Not for student use.
Kwanem Emulators
(K1-MPLS, K2-Internet, K3-LTE) root Speak-123 Not for student use.
INSTRUCTOR VERSION
Appendix E: DST Lab Topology

The 192.168.1.0/24 subnet is the out-of-band management network. Most devices also have one or more data path IP addresses with
the format 10.110.x.y/24. Site 1 represents a branch office. Site 2 is a regional office with two EdgeConnects deployed with
EdgeConnect HA. Site 3 represents an organization’s data center with a pair of redundant EdgeConnects deployed as Traditional HA.
INSTRUCTOR VERSION
(This page is intentionally blank)
Change Log
May 27, 2024 (v1.0): Created original document
June 13, 2024 (v1.1): Edited EdgeHA lab to show that Boost can now be configured on both appliances at the same time.
: Moved instructions for rebooting an ECV via ESXi host to Appendix A. Added reference to the instructions in Labs
1, 5, 6 and 9.
June 24,2024 (v1.2): Corrected BIOs config (Lab 13, Tasks 1 & 3). Topology change to hub & spoke now only configured in BulkApps.
: Updated screenshots – Lab 7, task 3; Lab 9, task 1; Lab 10, tasks 4 & 5.

DST 9.4 Lab Guide v1.3

Uploaded by

Copyright:

Available Formats

DST 9.4 Lab Guide v1.3

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DST 9.4 Lab Guide v1.3

Uploaded by

Copyright:

Available Formats

INSTRUCTOR VERSION

Deploying SD-WAN Technologies 9.4

DST 9.4. Lab Guide v1.2 – May 2024 page 1 of 144

Deploying SD-WAN Technologies (DST) Lab Guide

Date: June 2024

Warranties and Disclaimers

Hewlett Packard Enterprise Company

For more training, visit:

DST 9.4. Lab Guide v1.2 – May 2024 page 2 of 144

DST 9.4. Lab Guide v1.2 – May 2024 page 3 of 144

Hands-on Labs - (eLearning Students Only)

Important Considerations for Obtaining Lab Vouchers

DST 9.4. Lab Guide v1.2 – May 2024 page 4 of 144

DO NOT REQUEST MORE THAN ONE VOUCHER!

DST 9.4. Lab Guide v1.2 – May 2024 page 5 of 144

Task 1: Click the link in the video to acknowledge and request a

2. You will be taken directly to Deploying SD-WAN Technologies v9.4 – PART A

3. Click Add to Deploying SD-WAN Technologies v9.4 – Part A

cart. Deploying SD-WAN Technologies v9.4 – Part A

DST v9.4 - PART A

4. Click Check out.

DST v9.4 - PART A

5. Fill in your contact

DST 9.4. Lab Guide v1.2 – May 2024 page 6 of 144

6. Then click Next.

Fill in your correct

6. Click the acknowledgement check box.

Close the window.

DST 9.4. Lab Guide v1.2 – May 2024 page 7 of 144

Task 2: Redeem the Lab Voucher

11. When you are ready to

You will be taken to the training

Deploying SD-WAN Technologies v9.4 – Part A

12. Make sure to

13. Click Redeem. Deploying SD-WAN Technologies v9.4 – Part A

DO NOT ENABLE PASSWORD PROTECTION!

DST 9.4. Lab Guide v1.2 – May 2024 page 8 of 144

15. Check the consent box in the lower

16. Click OK to activate the code.

You should now be in the

17. Watch the Getting Started Video for

Name: DST v9.2 – Part A

the lab environment.

18. When the video launches, Click

19. Close the video when you are

DST 9.4. Lab Guide v1.2 – May 2024 page 9 of 144

20. Select Lab on the top menu.

Name: DST v9.4 – Part A

When you are ready to begin, click Start lab now.

21. Click Start now.

An Action in progress message will display.

DST 9.4. Lab Guide v1.2 – May 2024 page 10 of 144

22. Click Close.

An Action result message will

23. Click Close.

The Status display should change to

Note: The display of ‘Up’ does

DST 9.4. Lab Guide v1.2 – May 2024 page 11 of 144

Lab 1: Access Remote Lab

 Access the ReadyTech lab.