Advanced Configuration

To configure some security, authentication, time and routing parameters, select Network -> Advanced Configuration from the Orchestrator main menu.

Note: the values displayed in the forms are default values.

Local Breakout

According to your deployment, you may deactivate the Local Breakout rule, i.e. the capacity of Branch Office Sites to access directly to the Internet.

By default, Local Breakout is activated if at least one Branch Office Site in your network has a direct Internet Access. To change this behavior and, for example, specify that all the Internet traffic must be routed through MPLS, select MPLS from the Transport Network stack of values.

You can also totally deactivate the function by disabling it .

Overlay Routing

Overlay IP Network: subnet where the Orchestrator selects the addresses of the ip|engine internal interfaces.
AS Number Range: the Orchestrator uses this range of values to configure Site autonomous systems automatically (refer to "Configuring the LAN").
AS Number Exclusion: values or range of values you want to exclude from the AS Number Range; reserved values. Authorized separators are ",|;"
Simple values: N where 1<= N <= 65535
Value ranges: N-M where N<M and 1 <= N, M <= 65535

Multi-format example: 65002,65012-65024|65042;65122

Validate your input by hitting the Create button. To modify any advanced configuration data, click the Update button. The last modification date and owner are specified in the right top corner of the form.

Routing Loop Prevention

To prevent OSPF routing loops (refer to "Configuring OSPF") from a Hybrid Data Center to a Hybrid Site, define a BGP Community and an OSPF Tag.

BGP Community: four bytes value split in half by '.'
The first half of the value corresponds to 0001 - FFFE (FFFE is the default). 0000 and FFFF are forbidden.
The second half of the value corresponds to 0000 - FFFF (FF01 is the default).
OSPF Tag: the authorized value range is [1 - 65535]. The default value is 6976.

For example, in "Use Case 1", the MPLS CE router (10.1.4.254) will probably re-route the traffic to the hybrid Data Center ip|engine router (10.1.4.4) and use the Internet route towards B02 instead of using the MPLS route towards the same ip|engine. To avoid this behavior:

The B02 ip|engine router sets the BGP Community you define on the routes exported into the overlay BGP, which enables the Data Center ip|engine router to identify these routes, tag them with the tag you define and redistribute them into OSPF.
After you have manually configured the MPLS CE router accordingly, it will be able to reject any tagged routes coming from the Data Center, or not redistribute them into MPLS VPN's BGP.

Overlay Security

The following parameters only apply to the tunnels between Ipanema ip|engines and between Ipanema ip|engines and external gateways.

IKE policy

Internet Key Exchange (IKE) is a key management protocol that is used to authenticate IPsec peers, negotiate and distribute IPsec encryption keys, and to automatically establish IPsec security associations (SAs). Refer to RFC 5996.

Encryption: drop-down list to choose the encryption algorithm (mandatory): AES-128 CBC, AES-192 CBC, AES-256 CBC, AES-128 GCM, AES-192 GCM, AES-256 GCM, AES-128 GMAC, AES-192 GMAC, AES-256 GMAC and 3DES,
Integrity drop-down list to choose the data integrity hash method: SHA1, SHA-256, SHA-384, SHA-512 and MD5,
DH Group drop-down list to choose the Diffie-Hellman group: 1 (768-bit), 2 (1024-bit), 5 (1536-bit), 14, 19, 20, 21 and 24,
SA lifetime (seconds) Security Association lifetime (86,400 (= 24 h) by default). The authorized range of values is [120 -172800].

IPsec policy

Encryption: drop-down list to choose the encryption algorithm (mandatory). The available options are the same as for IKE policy encryption plus NULL,
Integrity drop-down list to choose the data integrity hash method (mandatory); see IKE policy integrity,
DH Group (PFS only): drop-down list to choose the Diffie-Hellman group: 1 (768-bit), 2 (1024-bit) or 5 (1536-bit), 14, 19, 20, 21, 24 and PFS disabled (PFS ensures that the same key will not be generated again, so forces a new Diffie-Hellman key exchange. Both sides of VPN should support PFS in order for PFS to work. Therefore using PFS provides a more secure VPN connection),
SA lifetime (seconds) Security Association lifetime (86,400 s that is: 24 hours by default; mandatory). The authorized range of values is [120 -172800],
Lifebytes (kbytes): number of kilobytes sent through the tunnel before it is renewed; the tunnel is renewed after the SA lifetime period of after the Lifebytes period, whichever expires first. Valid values are in the range [5120 - 2147483648 kbytes],
MTU (bytes): maximum number of bytes loaded in the Payload. The default value is 1400. This value applies to all IPsec tunnels.

IPsec Concentrator authentication

If a Pre-Shared key is already configured, this field is displayed in green and may remain empty.

This Pre-Shared key is used for all the tunnels between ip|engines. Though it is automatically generated by the Orchestrator for each Customer, you may also enter a new Pre-Shared key as a string of 32 characters at least. Use the icon different statuses to either display or hide the key.

CloudMesh

The information of the CloudMesh Overlay Routing section is for consultation only.

Overlay IP Network: subnet where the Orchestrator selects the addresses of the ip|engine internal interfaces to connect to CloudMesh Edges. You cannot use this range in your network.
AS Number: CloudMesh Core uses this AS number. You cannot reuse or modify this parameter.

Syslog Servers

To enable log export by SD-WAN ip|engines about NATted DTI connections, you must define one (or several) Syslog Server(s) in your network.

After you have clicked 'Add Server', enter the server Name, type its IP Address (preferably in your private network) or FQDN, Protocol (TCP or UDP) and Port. When NAT entries are created, logs are sent to the Syslog Server in syslog format.

Warning: log export is not available on VRRP backups (with unmounted tunnels).

Time Synchronization

Define the Time Server by entering an IP address.

Using a Time Server located inside the Customer private network is recommended.

Then select from the stack up to 5 hub ip|engines to be used as Synchronization Servers.

These ip|engines are synchronized with the Time Server; they are used as synchronization references for all the other ip|engines of the Customer network.

Transport Network Settings

You may activate eligibility to DTI globally by selecting the appropriate Transport Network. If you select 'Internet', all Internet L3 WAN interfaces of all the ip|engines in your network will be eligible to DTI.

VRRP

Warning: only VRRP Version 2 is supported. Delays can only be defined in seconds or in milliseconds divisible by 1000.

General

Advertising Interval (seconds): the virtual router (master) sends VRRP advertisements to other VRRP routers in the same group. The priority and group ID of the virtual router master are carried in the advertisements. Advertisements are sent every second by default.
Priorities - Master, Backup and Failed Check: priority values for the VRRP preemption mechanism. The device with the highest priority within the group becomes the master.
If Preemption is activated (by default), the following rules apply by decreasing order of preference:
the virtual router backup that is elected to become the master remains the master until the original virtual router master recovers and becomes the master again (master/backup deployment).

Mechanism:

if the LAN interface is down, it is in FAULT state

with the And logical operator, any health checked WAN interface that goes down degrades the priority by the specified Failed Check

with the Or logical operator, the priority is not degraded until all health checked interfaces are down

If preemption is disabled:
the virtual router backup that is elected to become the master remains the master until the original virtual router master recovers and becomes the master again (master/backup deployment)
the virtual router backup that is elected to become the master remains the master until it is in FAULT state. The other backup virtual router becomes the master and remains the master until it is in FAULT state; if both virtual routers are down, traffic stops. When the first backup virtual router recovers (from FAULT state to Backup state), it becomes the master again (backup/backup deployment).

Mechanism:

if the LAN interface is down, it is in FAULT state

with the And logical operator, any health checked WAN interface that goes down triggers a router switch to FAULT state

with the Or logical operator, the virtual router switches to FAULT state if all health checked WAN interfaces are down

Warning: when preemption is disabled, there is no progressive health degradation. This can lead to a Site being isolated even if there is still a working WAN interface. For this reason, activating preemption is strongly recommended.

Delay (seconds): delays VRRP transition to the master by the number of seconds specified (1 by default). This delay prevents the backup from becoming the master very frequently, in cases of network flapping.
Health Check Interfaces:
Interval (milliseconds): by default, health check on interfaces is executed every second
Fall: number of failed health checks before the device is considered in bad health
Rise: number of successful health checks before the device is considered in good health again

Gratuitous ARP

A Gratuitous ARP is an ARP Response that was not prompted by an ARP Request. The Gratuitous ARP is sent as a broadcast, as a way for a node to announce or update its IP to MAC mapping to the entire network.

Master:
Delay (seconds): delay for a second set of Gratuitous ARP messages after transition to Master. Default: 5. Enter 0 for no second set.
Repeat (count): number of Gratuitous ARP messages to send at a time after transition to Master. Default: 5
Refresh delay (seconds): minimum time interval for refreshing Gratuitous ARP messages while Master. Default: 0
Refresh repeat (count): number of Gratuitous ARP messages to send at a time while Master. Default: 5
Lower priority:
Delay (seconds): delay for a second set of Gratuitous ARP messages after a lower priority advert has been received when Master. Default: 5. Enter 0 for no second set.
Repeat (count): number of Gratuitous ARP messages to send at a time after a lower priority advert has been received when Master. Default: 5.

Tuning

Protocol Version: 2
VRRP multicast group: IPv4 address of the group that corresponds to the abstract representation of the master and backup routers.
Strict RFC adherence: check this option to ignore any customized settings and strictly adhere to VRRP rules.
When master, do not send advert after receiving lower priority advert: optional
When master, send advert after receiving higher priority advert: optional
Do not send second GARP burst of packets: optional
GARP Interval (microseconds): default interval between Gratuitous ARP messages sent on an interface
ARP NA Interval (microseconds): default interval between unsolicited NA messages sent on an interface

IHAP

The following parameters identify the IHAP Profile you create or update.

Note: A Default IHAP Profile with predefined configuration parameters is available.

Name: name of the IHAP profile which is applied to both the nominal ip|engine and backup ip|engine of the Site.
Engine bad health criteria for recognizing a failover condition:
any (default): failover condition is confirmed when any monitored interface is down
all: failover condition is confirmed when all the monitored interfaces are down
Interfaces to monitor: select the interfaces you want to monitor by moving them from the left pane to the right pane.
Keep alive: keep alive time in milliseconds. The authorized range is [50 - 10000]. The default value is 100 ms.
Peer dead factor: used to tune up the waiting time of the backup ip|engine before acknowledging the unresponsive active peer as down. The authorized range is [3 - 10]. The default value is 5.
Tunnel persistence: by default, this option is disabled, i.e. there are no mounted tunnels on the standby ip|engine.
Preemption: this option is enabled by default. It means that the nominal standby ip|engine can preempt the backup active engine and become active again.