SD WAN Admin Guide

Administrator User Guide
SD-WAN
PERMISSIONS, MONITORING & CONFIGURATION FOR
WINDSTREAM SD-WAN
Table of Contents
SD-WAN Network Management Tool in Windstream Online (WOL)
SD-WAN Permissions
1.1 SD-WAN Permission Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 Permission Level Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.3 Confirmation of Configuration Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
SD-WAN Monitor
2.1. Monitoring Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.2 Monitoring Quality of Experience (QoE). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.3 Monitoring Transport. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.4 Monitoring Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.5 Monitoring Sources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.6 Monitoring Destinations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.7 Monitoring Business Priority. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
SD-WAN Configuration
3.1 Configure Edges Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.2 Configure Edges Device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.3 Configure Edges Business Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.4 Configure Edges Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.5 Configure Profile Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
3.6 Configure Profile Device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.7 Configure Profile Business Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
3.8 Configure Profile Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3.9 Configure Network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.10 Configure Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
NEED HELP?
CONTACT SUPPORT
1-888-623-VOIP
Support@Broadviewnet.com
http://community.broadviewnet.com
2
SD-WAN PERMISSIONS
1.1 SETTING SD-WAN PERMISSION LEVELS
Administrator grants permissions for SD-WAN to others in their company via the “Admin” area of the Windstream Online
(WOL) portal. There are four (4) Levels of permission access defined for SD-WAN as shown below:
Note: These permission levels are not cumulative, so only those checked are applicable.
Product & Service Tools None View Manage Advanced

Allow this user to access the online tools to manage
your Windstream services. You can provide access to
only select tools by choosing ‘Advanced’.
SD-WAN View SD-WAN Monitor

Configuration changes may cause, but are not
limited to, service interruptions, networking View SD-WAN Configure
issues, or security risks. Misconfigurations or
Manage (Limited) SD-WAN Configure
service interruptions that result from Customer
Business Policy and Firewall only
initiated configuration change are solely the
responsibility of the Customer and are not Manage (All) SD-WAN Configure
covered as a part of the SD-WAN service level Full access to manage configuration settings
agreement.
1.2 PERMISSION LEVEL NOTIFICATIONS

Users are informed if they do not have the level of permission to make changes for certain areas:
! Note: You do not have permission to save any changes on this page.
1.3 CONFIRMATION OF CONFIGURATION CHANGES

Reminder: Administrators that are
reluctant to make their own changes
can always rely on the Windstream Are you sure you want to save these configuration changes?
SD-WAN Concierge™ support team to
YES NO
implement changes.
Note: It is recommended that a Configuration changes may cause, but are not limited to, service interruptions, networking issues, or security
qualified network technician manage risks. Misconfigurations or service interruptions that result from Customer initiated configuration change are
solely the responsibility of the Customer and are not covered as a part of the SD-WAN service level agreement.
network configuration changes, as
these updates may cause service
interruptions, network issues, or security
risks if not properly implemented.
3
SD-WAN MONITOR
2.1 MONITORING OVERVIEW
Overview QoE Transport Applications Sources Destinations Business Priority
Past 60 Minutes Site 01
Link Status
Previous 1 Next
LINK STATUS INTERFACE (WAN TYPE) THROUGHPUT | BANDWIDTH LATENCY JITTER PACKET LOSS
9.32 Kbps ↑ 753.00 Kbps 18 msec ↑ 18 msec 1 msec ↑ 1 msec 0% ↑ 0%

AT&T U-verse INTERNET 2 (ETHERNET)
10.03 Kbps ↓ 6.96 Mbps 20 msec ↓ 20 msec 0 msec ↓ 0 msec 0% ↓ 0%
Verizon Wireless INTERNET 3 (ETHERNET) 2.91 Kbps ↑ 2.09 Kbps 70 msec ↑ 70 msec 10 msec ↑ 10 msec 0% ↑ 0%
2.58 Kbps ↓ 5.21 Mbps 51 msec ↓ 51 msec 6 msec ↓ 6 msec 0% ↓ 0%
Previous 1 Next
Bandwidth Usage
Top Applications Top Categories
Previous 1 Next
NAME VOLUME
VeloCloud Control 9.01 MB
VeloCloud Management 1.85 MB
Previous 1 Next
Top Operating Systems Top Sources
VeloCloud VeloCloud Edge

0.0.0.0
1. Overview displays information about your Edge WAN links, application bandwidth, and network usage for top operating
systems, top categories, and the top sources. The Overview tab consists of two (2) areas: Link Status and Bandwidth
Usage.
2. The Link Status area (WAN/LAN) is updated in real-time and displays a list of your links and their data (Cloud and
VPN status, Interface, and Throughput Capacity). Cloud Status and VPN Status can display the following statuses:
Green=Active, Yellow=Degraded, Red=Offline/Disconnected, Grey=Not Enabled. The Link Status area can also display
the status of Backup links depending upon the WAN settings.
4
3. The Bandwidth Usage area displays your top applications, categories, operating systems and Sources along with their
volume for a historical period of time. You can change the time frame by clicking the Time Duration drop down menu.
Clicking on one of the arrow icons will allow you to drill down further into the details for each usage category.
4. The Top Applications area displays historical usage data for top applications and is connected to the Applications tab.
To access the Applications tab, click the View Details arrow () on the right side.
5. The Top Categories area displays categories as a color-coded Pie chart (with a corresponding Legend). The Top
Categories area is also connected to the Applications tab. To access the Applications tab, click the View Details arrow ()
on the right side.
6. The Top Operating Systems area displays top operating systems as a bar graph. Hover over a bar in the graph to
display usage data for that system. The Top Operating Systems area is connected to the Sources tab. To access the
Sources tab, click the View Details arrow () on the right side.
7. The Top Sources section of the Bandwidth Usage area displays top sources as a bar graph. The Top Sources section is
also connected to the Sources tab. You can access the Sources tab. To access the Sources tab, click the View Details arrow
() on the right side.
2.2 MONITORING QUALITY OF EXPERIENCE (QOE)

Voice
Network Enhancements QoE Score

After
9.98
Test Communications
Before
9.61
Thurs Aug 17 2016 13:05
Latency Fair
Jitter Good
Pocket Loss Good
Downstream latency reported at 26 msec.
1. The SD-WAN Quality of Experience (QoE) tab shows the SD-WAN Quality Score (SQS) for different applications. The QS
rates an application’s quality of experience that a network can deliver for a period of time.
2. There are three different traffic types that you can monitor (Voice, Video, and Transactional) in the QoE tab. You can hover
over a WAN network link, or the aggregate link provided by the SD-WAN to display a summary of Latency, Jitter, and
Packet Loss.
5
3. The SD-WAN Quality Score (SQS) rates an application’s quality of experience that a network can deliver for a given
time frame. Some examples of applications are: video, voice, and transactional. QoE rating options are shown in the table
below.
RATING COLOR RATING OPTION DEFINITION
All metrics are better than the objective thresholds.

Green Good
Application performance at or above SLA.
Some or all metrics are between the objective and maximum

Yellow Fair
values. Application performance may be impacted.
Some or all metrics have reached or exceeded the maximum

Red Poor
value. Application performance may be impacted.
4. Link Steering and Remediation enables dynamic, application aware per-packet link steering that is performed
automatically based on the business priority of the application, embedded knowledge of network requirements of
the application, and the real-time capacity and performance of each link. On-demand mitigation of individual link
degradation through forward error correction, jitter buffering and negative acknowledgment proxy also protects the
performance of priority and network sensitive applications. Both the dynamic per-packet link steering and on-demand
mitigation combine to deliver robust, sub-second blackout and even brownout protection to improve application
availability, performance and end user experience.
2.3 MONITORING TRANSPORT

Average Throughout Links
Downstream
60
45
36
AT&T U-verse
Bps
24 Verizon Wireless
12
0
59 il 8
03 il 8
24 il 8
48 ril 8
53 ril 8
02 ril 8
pm
pm
pm
pm
pm
pm
3: pr
4: pr
4: pr
Ap
Ap
Ap
A
4:
4:
5:
Download as Excel (.csv) GO
Previous 1 Next
CLOUD STATUS VPN STATUS NAME INTERFACE (WAN TYPE) TOTAL BYTES DOWNSTREAM (BPS) UPSTREAM (BPS)
6 AT&T U-verse
INTERNET 2 (ETHERNET) 13.59 MB 16.38 Kbps 14.28 Kbps
108.507.435.396
Verizon Wireless INTERNET 3 (ETHERNET) 2.39 MB 2.37 Kbsp 2.56 Kbsp

106.646.365.125
59 il 8
03 il 8
24 il 8
48 il 8
53 il 8
02 il 8
pm
pm
pm
pm
pm
pm
3: pr
4: pr
4: pr
4: pr
4: pr
5: pr
A
A
Previous 1 Next
CLOUD STATUS VPN STATUS NAME INTERFACE (WAN TYPE) TOTAL BYTES DOWNSTREAM (BPS) UPSTREAM (BPS)
AT&T U-verse
INTERNET 2 (ETHERNET) 13.59 MB 16.38 Kbps 14.28 Kbps
108.507.435.396
Verizon Wireless INTERNET 3 (ETHERNET) 2.39 MB 2.37 Kbsp 2.56 Kbsp

106.646.365.125
1. The Transport tab provides an overview of the bandwidth used across all of the WAN links. For any period of time
including historical timeframes, you can view which Link or Transport Group was used for the traffic and how much data
was sent. You can filter on the data by drilling down into various utilization types.
2. Using the chart tools you can easily zoom into any subset of data within the chart by clicking in the chart and holding
down the mouse button while scrolling the area you wish to zoom into. Pin mode allows you to compare non-adjacent
data sets. Just select the pin mode in the chart above, select a range and then drag it across the chart to compare it with
the data anywhere else on the chart.
3. Using the interactive legend, you can selectively turn data plots individually on/off by clicking a data series to hide it and
focus on the other series in the chart.
4. The Cloud Status represents the ability for the Edge device to communicate to the gateway over the Internet cloud.
The status values for both Cloud and VPN are (green: connected, red: disabled, gray: unavailable)
5. Descriptions for the options of Links Stats listed in the Links Stats drop menu are listed in the table below.
LINK STAT ITEM DEFINITION
This parameter denotes the desired bandwidth allocation in Mbps for each flow. Based on
Bandwidth these parameters, the total capacity is allocated in proportion to the bandwidth values of
various flows.
Jitter is calculated using the RFC 3550 Formula for calculating jitter that is used by RTP.
Jitter Jitter metrics are measured between the edged device and the SD-WAN core gateway.
Application performance may be impacted.
For each packet, the latency is measured by subtracting the network send time (packet is
Latency time stamped immediately before being sent) from the network receive time (packet is time
stamped immediately after being received).
A lost packet is calculated when a path sequence number is missed and doesn’t arrive
Packet Loss within the re-sequencing window. A “very late” packet is counted as a lost packet in this
regard.
7
2.4 MONITORING APPLICATIONS
Bytes Received / Sent Applications
Received
5.200M
Google
9.60M
HTTP
HTTPS
7.20M LDAP
Bytes
YouTube
4.50M Windows Live
Yahoo
Microsfot Office 365
2.40M
Background Intelligent Transfer Services (BITS)
VeloCloud Control
10
12
13
14
15
16
17
18
11
1
9
g
g
g
g
Au
Au
Au
Au
Au
Au
Au
Au
Au
Au
Au
Au
Au
Au
Au
Au
Au
Au
Previous 1 Next
APPLICATION CATEGORY TOTAL BYTES BYTES RECEIVED BYTES SENT
VeloCloud Control VeloCloud 15.41 GB 5.95 GB 9.46 GB
Google Web 5.78 GB 5.46 GB 311.40 MB
Microsoft Office 365 Business Collaboration 5.81 GB 4.56 GB 1.28 GB
Top Applications by Bytes Received / Sent CLOSE
VeloCloud Management
Top Destinations
velocloud.net
Top Source Devices

VeloCloud Edge
OK
8
1. The Applications tab displays network usage information about your applications or your application categories. You
can hover over a segment of the graph to display network usage data for that segment. You can also choose which type
of data is displayed from the Data drop down menu (Bytes Received/Sent, Total Bytes, Total Packets, or Packets Received/
Sent).
2. You can also click an application in the Applications column to open a dialog box, which displays the Top Destinations
and Top Source Devices for the application.
3. Clicking on the arrow icon will take you to the associated page allowing you to drill down further into the data.
4. Chart tools: You can easily zoom into any subset of data within the chart by clicking in the chart and holding down the
mouse button while scrolling the area you wish to zoom into. Pin mode allows you to compare non-adjacent data sets.
Just select the pin mode in the chart above, select a range and then drag it across the chart to compare it with the data
anywhere else on the chart.
2.5 MONITORING SOURCES


Active Edges Only
Bytes Received / Sent

Devices
Received
90M
72M
Andrew’s Phone
Lauren’s Phone
54M Mark’s Phone
Bytes
April’s AppleWatch
36M
18M
0
4 0
pm 3
am 9
pm 3
37 1
24 7
:3 1
44 1
25 1
35 2
am
pm
pm
7: Aug
9: Aug
11 ug
3: ug
9: ug
8: ug
A
Previous 1 Next
APPLICATION IP ADDRESS OPERATING SYSTEM TYPE TOTAL BYTES BYTES RECEIVED BYTES SENT
0.0.0.0
Andrew’s Phone EDGE n/a 5.51 GB 2.79 GB 2.72 GB
108.507.435.396
Lauren’s Phone 10.0.0.231 IOS Smart Phone/Tablet 38.89 MB 36.55 MB 2.34 MB

106.646.365.125
Mark’s Phone 10.0.0.211 IOS Smart Phone/Tablet 821.92 KB 774.87 KB 73.56 KB

135.646.365.467
Top Sources by Bytes Received / Sent CLOSE

9
VeloCloud
Lauren’s Phone 10.0.0.231 IOS Smart Phone/Tablet 38.89 MB 36.55 MB 2.34 MB
106.646.365.125
Mark’s Phone 10.0.0.211 IOS Smart Phone/Tablet 821.92 KB 774.87 KB 73.56 KB

135.646.365.467
Top Sources by Bytes Received / Sent CLOSE
VeloCloud
Top Applications
Facebook
Instagram
Twitter
LinkedIn
Top Destinations
facebook.com
fbcdn.net
yimg.com
yahoo.com
OK
1. The Sources tab screen displays network usage data (operating system, device type) over a historical period of time. The
data is displayed as two line graphs. You can change the data that is displayed in the graphs from the Data drop down
menu (Bytes Received/Sent, Total Bytes, Total Packets, or Packets Received/Sent). You can also hover over a segment of
the graph to display the source and its associated network usage.
2. You can also click a source in the Source column to open a dialog box, which displays the Top Destinations and Top
applications. Friendly Name capability for Sources by clicking the pencil icon next to the source device in the grid view
allows you to rename a source device for in portal reporting.
10
2.6 MONITORING DESTINATIONS
Domains
Bytes Received / Sent
Received
900M
sunn.edw.net
720M pen.local
1e100.net
540M google.com
Bytes
technologies.com
expertcity.com
360M
204.506.332
windstream.com
180M
yahoo.com
facebook.com
0
4 0
pm 3
am 9
pm 3
37 1
24 7
:3 1
44 1
25 1
35 2
am
pm
pm
7: Aug
9: Aug
11 ug
3: ug
9: ug
8: ug
A
A
Previous 1 Next
DESTINATION TOTAL BYTES BYTES RECEIVED BYTES SENT
velocloud.net 17.43 GB 7.04 GB 10.43 GB
expertcity.com 5.39 GB 4.31 GB 1.46 GB
google.com 5.94 GB 4.04 GB 1.66 GB
technologies.com 2.38 GB 2.55 GB 130.62 MB
Top Destinations by Bytes Received / Sent CLOSE
velocloud.net
Top Applications
Facebook
Instagram
Twitter
LinkedIn
Top Operating System

Other/Unidentified
OK
11
1. The Edge Destinations tab screen displays network usage data (operating system, device type) over a historical
period of time by the destination of the network traffic. If you hover over a segment of the graph, the destination and its
associated network usage displays. There are three destination types (Domain, FQDN, IP) located on the right side of the
screen.
2. For each type (Domain, FQDN, and IP), the Top Destinations dialog box displays by type when you click a destination
from the Destination column. You can open the Applications and Sources tabs from the Top Destinations dialog box.
Click the arrows next to the Top Applications and Top Operating sections of the dialog boxes (respectively) to open
these tabs.
2.7 MONITORING BUSINESS PRIORITY

Domains
Average Throughput
Downstream
5K
4K
High
3K Normal
Bytes
2.46K Low
2K Control
130.26
1K
18.33
Aug 16
4 0
pm 3
am 9
pm 3
pm 9
37 1
24 7
:3 1
44 1
25 1
35 2
50 2
am
pm
pm
7: Aug
9: Aug
11:26 am
11 ug
3: ug
9: ug
8: ug
1: ug
A
Previous 1 Next
PRIORITY DOWNSTREAM (BPS) UPSTEAM (BPS)
High 33.43 Mbps 32.81 Mbps
Normal 86.43 Mbps 29.51 Mbps
Low 0 Bps 0 Bps
Control 14.18 Mbps 23.08 Mbps
12
1. The Business Priority tab page displays the priority (High, Normal, and Low) of the network traffic over a historical
period of time. If you mouse over a segment of the graph, the Business Policy characteristics and its associated Network
usage displays.
4. Quality of Experience (QoE), resource allocations, link/path steering, and error correction are automatically applied based
on business policies and application priorities. Orchestrate traffic based on transport groups defined by private and
public links, policy definition, and link characteristics.
SD-WAN CONFIGURATION
3.1 CONFIGURE EDGES OVERVIEW
ASSIGN PROFILE
Previous 1 Next
NAME PROFILE HA DEVICE BIZ. POL FIREWALL STATUS MODEL SERIAL NUMBER
TestEdge 01 Default Internet Network Activated Edge500 VC00002008
TestEdge 02 Default VPN Network Activated Edge1000 VC00003948
TestEdge 03 VPN Network - Adtran 5355 Activated Edge500 VC00003958
TestEdge 04 VPN Network - Adtran 6355 Activated Edge 340 VC00002954
1. The color-coded icons will link you directly to the configuration areas for Device, Business Policy and Firewall. An icon
color of “Gray” in one of the configuration columns, indicates all the rules in place are based on the “Default Profile”
settings, any other color means at least one rule override is in place.
2. The Edge device settings are inherited from the Profile selected for the Edge and can be simple if the network
configuration defined in the profile is used without modification. Overrides can be made to Network and Network
Service configuration as part of Edge configuration but should be used sparingly and for scenarios that are temporary.
13
3.2 CONFIGURE EDGES DEVICE
Edge Overview Device Business Policy Firewall
Network Settings
Network: VPN Network
Assignable VLANs
Corporate Network: Guest Network:
1 - Corporate 64 - Guest
3 - Management 80 - GuestBackup
14 - Office-West
13 - Office-East
Management VLANs
Management VLANs:
All VLANs
High Availability
Enabled
This option is not available when the LAN1 interface is set to “Routed”
Device Settings: Edge 500
VLAN Settings
VLAN SETTINGS ACTIONS
Network 10.0.0.0
IP Address 10.0.0.1
1 - Corporate Mgmt IP 10.0.0.2
Interfaces LAN3 LAN4
DHCP
Network 10.0.0.0
IP Address 10.0.0.3
3 - Management Mgmt IP 10.0.0.4
Interfaces LAN2
DHCP
Network 10.0.0.0
IP Address 10.0.0.5
7 - Corp Office Mgmt IP 10.0.0.6
Interfaces LAN2
DHCP
14
Interface Settings ADD WIFI SSID
SWITCH PORT SETTINGS ROUTED INTERFACE SETTINGS
INTERFACE
INTERFACE MODE VLANS ADDRESSING WAN OVERLAY ACTIONS
OVERRIDE
LAN1 This interface is being used for High Availability
7 - Corp Offsite
LAN2 Trunk
3 - Management
LAN3 Access 1 - Corporate
LAN4 Access 1 - Corporate
INTERNET1 DHCP Auto Detect
INTERNET2 DHCP Auto Detect
SIFP PPP0E User Defined
USB1 DHCP Disabled
WLAN1 Wifi 7 - Corp Offsite
Static Route Settings

Subnet Source IP Next Hop Interface VLAN Cost Preferred Advertise Description
192.235.1.0/7 10.0.1.1 10.0.4.1 INTERNET1 1 0 Common
192.235.2.0/7 10.0.3.55 10.0.4.120 INTERNET1 1 0 VPN
192.235.3.0/7 N/A 10.0.3.1 INTERNET2 1 0 Web
192.235.4.0/7 10.0.2.33 10.0.8.9 USB1 1 0 Backup
Wi-Fi Radio Settings Enable Edge Override
Radio Enabled:
Country: United States

Band: 2.4 GHz 5 GHz
Channel: 149
DNS Settings Enable Edge Override
Private DNS:
DNS Internal Primary -
DNS Internal Secondary - +
Public DNS: DNS Public
15
VLAN: Corporate CLOSE
VLAN
Edge LAN IP Address: 10.0.0.1
Edge LAN Mangement IP

10.0.0.2
Address:
Cldr Prefix: 8
Network: 10.0.0.0
LAN Interfaces: LAN3 LAN4
DHCP Enable Edge Override
Type: Enabled
Static Addresses: 10
Lease Time: 1 day
DHCP Options:
Option Code Data Type Value
Select 2 integer 5
Select 5 Text 207.536.75.24.065
Select
CANCEL OK
1. Network settings are inherited from the Profile selected for the Edge and can only be changed in the associated
profile. In addition, Configuration overrides can be made to some settings that were configured in the Network, Network
Services, and Profile assigned to an Edge. In most cases, an override must first be enabled then changes can be made.
Overrides can be made to Interfaces and DNS.
2. Edges can be installed as a single standalone device or paired with another Edge to provide High Availability (HA)
support. The HA configuration can be achieved with using L2 switches only or using a combination of L2 and L3
switches. The HA configuration is only for wired WAN connections.
3. VLAN Settings can be chosen for your LAN interfaces. The Edge LAN IP address, the Edge Management IP address, and
CIDR Prefix. You can also specify Fixed IP addresses tied to specific MAC Addresses. The list of LAN interfaces and the SSID
of any Wi-Fi interfaces that are configured for this VLAN are listed. Finally, a block for configuring DHCP is shown. DHCP
can be enabled (where a start address, the number of addresses, the lease time, and optional parameters are entered),
the address of one or more relay agents can be enabled, or DHCP can be disabled.
4. The list of Switch Ports with a summary of some of their settings (such as Access or Trunk mode and the VLANs for the
interface). Switch Ports are highlighted with a light yellow background.
5. Static Route Settings are useful for special cases where statics routes are needed for existing network attached devices
(such as printers). The ‘+’ icon on the right of the dialog box can be used to add additional Static Route Settings.
Perform these steps to specify the Static Route settings:

• Enter the subnet for the route.
• Enter the IP address for the route.
• Select the WAN interface where the Static Route will be bound.
16
• Select the Broadcast checkbox to advertise this route over VPN and allow other Edges in the network
to have access to this resource.
• Optionally, add a description for the route.
6. DNS is an optional service that allows you to create a configuration for DNS. The DNS Service can be for a public DNS
service or a private DNS service provided by your company. A Primary and Backup server can be specified. The service is
preconfigured to use Google and Open DNS servers.
7. The management IP address is used as the source address for local services (e.g. DNS) and as a destination for
diagnostic tests (e.g. pinging from another edge).
8. Dynamic Host Configuration Protocol (DHCP) dynamically assigns unique IP addresses to network devices. As
a network device joins or leaves an IP-based network, DHCP automatically renews or releases an IP address. DHCP
allows network administrators to centrally manage and automate the assignment of the IP addresses making network
administration a lot easier to manage.
9. Refer to the snapshot below for hover text to appear at EACH “Enable Edge Override” field. The following text should
appear with icon next to each occurrence of the “Enable Edge Override” field option:
Enable Edge Override !
! This option enables Edge specific edits to the displayed settings, and discontinues
further automatic updates from the configuration profile for this module.
For ongoing consistency and ease of updates it is recommended to set configurations

at the Profile rather than Edge exception level.
10. The Wi-Fi radio Settings determine if the Wi-Fi radio is enabled, selects the country where the Edge is located, selects
the band of the Wi-Fi radio, and the channel used by the Wi-Fi network. If a specific country is selected, a specific Wi-Fi
channel can be selected. Note: Wi-Fi is an optional service, to add Wi-Fi to your existing service(s) Please contact your
Account Executive.
11. DHCP can be configured on a Routed Interface. The routed interface must be configured with a STATIC address at the
Edge level. The usual DHCP Server settings can be specified, including Disabled (the default), Relay (configure as DHCP
relay), and Enabled (configure as a DHCP server, with options). If an Edge Override is enabled, the DHCP Start IP must be a
valid available IP within undefined/24 subnet.
17
3.3 CONFIGURE EDGES BUSINESS POLICY
ADD RULE IMPORT DELETE RULE
Enlarge
Match Action
Rule Source Destination Application Net. Service Link Priority
1 WAN Override Ports: 5800 Ports: 5800 Any Direct Mandatory: High
Local ISP
Wireless
Edge Override
2 Offsite remote VLAN: 7 - Corp Any Any Direct Preferred: Normal + x

Offsite INTERNET3,
VLAN: 9
3 Local apps Any Hostname: ftp (File Sharing) Direct Available: Low
backup.us 46 - EF Private Wired
4 Speedtest Any Protocol: TCP speedtest Multi-Path Auto High

Rules from Profile
(File Sharing)
5 VeloCloud Any Any All VeloCloud Direct Auto Normal
Any Any LogMn (Remote Direct Auto Normal

6 LogMain Remote Desktops)
Edit Rule CLOSE Edit Rule CLOSE
Rule Name: Local apps DSCP: Select
Action
Match
Priority: High Normal Low
Source: Any Define...
Rate Limit 0 % Link bandwidth
None VLAN IP Address
0 % Link bandwidth
VLAN: Select
Network Service: Direct Multi-Path
Ports: undefined
Operating System: None Link Steering: Auto Transport Group Interface WAN Link
Local ISP Wireless

Destination: Any Define...
Mandatory
IP Address: Preferred
Hostname: Ex: domain.com Available
Protocol: Select
NAT: Disabled Enabled
Ports: undefined
NAT: Real Time Transactional Bulk
Application: Any Define...
Any Application All VeloCloud

CANCEL SAVE
Anonymizers and Proxies VeloCloud Control
CANCEL SAVE
18
1. Based on the business policy configuration, SD-WAN examines the traffic being used, identifies the Application behavior,
the business service objective required for a given app (High, Med, or Low), and the Edge WAN Link conditions. Based
on this, the Business Policy optimizes Application behavior driving queuing, bandwidth utilization, link steering, and the
mitigation of network errors.
2. A number of rules are predefined and you can add your own rules to customize your network operation. Rules are
listed in order of highest precedence. Network traffic is managed by identifying its characteristics then matching the
characteristics to the rule with the highest precedence.
3. You can move your configured rules up or down in the list of rules to establish precedence by hovering over the numeric
value at the left side of the rule and moving the rule up or down. If you hover over the right side of a rule, click the x
(cross) sign next to the rule to remove it from the list or the + (plus) sign to add a new rule.
4. If the Match Source Define option is chosen, the source traffic can be narrowed to a specific VLAN, an IP Address, a
Port, an Operating System or any combination of the selections.
5. If the Match Destination Define option is chosen, the destination can be first narrowed to a type (Any, Internet, Edge,
or Non-SD-WAN Site). The destination can then be furthered defined by specifying an IP Address, Hostname, Protocol
(GRE, ICMP, TCP, or UDP), and a port.
6. The Action section allows traffic to categorize Priority as High, Normal, or Low. Percentage Rate Limits can also be
applied in both the Outbound and Inbound direction. Link Steering provides for
a. Mandatory where traffic will be sent over the WAN link or link Service-group specified. If the link
specified (or all links within the chosen service group) is inactive or if a multi-path gateway route is
unavailable, the corresponding packet will be dropped.
b. Preferred indicates the traffic should preferably be sent over the WAN link or link Service-group
specified. If the link specified(or all links within the chosen service group) is inactive or if the multipath
gateway route chosen is unstable or if the link Service Level Objective (SLO) is not being met, the
corresponding packet will be steered on the next best available link. If the preferred link becomes
available again, traffic will be steered back to the preferred link.
c. Available indicates the traffic should preferably be sent over the WAN link or link Service-group
specified as long as it is available (irrespective of link SLO). If the link specified (or all links within chosen
service group) are not available or if multi-path gateway route chosen is unavailable, the corresponding
packet will be steered to the next best available link. If the preferred link becomes available again, traffic
will be steered back to the available link.
19
3.4 CONFIGURE EDGES FIREWALL
Firewall Enabled Logging Enabled
Outbound Firewall Rules ADD RULE IMPORT DELETE RULE
Enlarge
Match Action
Rule Source Destination Application Action
1 App Engine Ports: 40-049 Any Google App Engine Allow

(Business Application)
Edge Override
2 VPN Traffic Any IP: 294.54.24.5 All Tunneling and VPN Allow
Protocol - TCP 32 - CS4
3 Streaming Music Any VLAN 1 - Corp AllMusic (Media) Deny
4 AllowAny Any Any Any Deny

Rules from Profile
5 DenyAll Any Any Any Deny and log
6 Business Apps Any Any All Business Application Allow
7 Email Ports: 754 VLAN 1 - Corp All Email Allow

Protocol - TCP
Inbound Port Forwarding

Enlarge
Port Forward Rule Allowed Traffic Source
Name Rule Interface WAN Port(s) LAN IP LAN PORT Remote IP/Subnet Log
Internal Web1 TCP INTERNET1 80 129.05.3.1 34576 129.05.335.3/03
Secure Web1 TCP INTERNET1 334 129.05.8.2 54676 129.05.463.3/02
Local Storage UCP USB3 3546 129.46.2.0 4968 255.05.75.8/02
Inbound NAT Rules

Enlarge
1:1 NAT Rule Allowed Traffic Source
Name Outside IP Interface Inside IP Traffic Out Protocol Port(s) Remote IP Log
VPN Traffic 129.05.3.1 INTERNET2 129.57.35.1 TCP 3546 129.05.335.3/03
Video Stream 129.05.8.2 INTERNET3 129.57.35.2 ICMP 77543 129.05.463.3/02
Remote Access 129.46.2.0 INTERNET3 129.57.35.3 TCP 3367 255.05.75.8/02
SAVE CHANGES
20
Add Rule CLOSE
Rule Name: Streaming Music
Match
Any Define...
None
Destination: Any Define... VLAN
None VLAN IP Address
IP Address Ex. 10.0.2.0.24
Mac Address Ex: aa:bb:cc:dd
VLAN: 1 - Corporate
Ports Ex: 2224-4456
Protocol: None
Ports: Ex. 10.0.2.0.24
Media All Music
Network Service Amazon MP3
Peer to Peer Amazon Video
Remote Desktop AOL On
CANCEL SAVE
1. Firewall rules are used to configure Allow or Deny Access Control List (ACL) rules. The rules are used to determine what
traffic is allowed between VLANs or out from the LAN to the Internet. The rules can be based on applications, application
categories, source IP address/port, destination IP address/port, DSCP tags or protocol. Network traffic is managed by
identifying its characteristics then matching the characteristics to the rule with the highest precedence.
2. Adding a new Firewall rule using the dialog, you can select Source, Destination, and Application characteristics to match.
Given a match, the Firewall action defined in the rule will be applied.
3. When a Deny action is detected by the firewall, an Event is generated. The event can be seen in the list of events using
Monitor -> Events. When a Deny and Log action is detected, the Firewall logs the event locally.
value at the left side of the rule and moving the rule up or down. If you hover over the right side of a rule, you click the –
(minus) sign next to the rule to remove it from the list or the + (plus) sign to add a new rule.
5. Mac Address Filtering is another Source option available in the Match area of the dialog box shown below. You can use
the Mac Address feature when you want a filtering rule to apply to a specific client no matter what subnet the client is
associated with. (The filtering rule is independent of the client’s subnet).
6. The Inbound Firewall Rules section provides Port Forwarding and 1:1 NAT rules that define how Internet traffic is filtered
or routed to an Edge via the Gateway. Configure rules to redirect traffic from a specific WAN port to a device (LAN IP/
LAN Port) within the local subnet. Optionally restrict the inbound traffic by IP or subnet. Port Forwarding Rules are used
to forward requests made on specific TCP or UDP ports to specific LAN IP addresses and ports on an Edge. The ‘+’ icon on
the right can be used to add additional Port Forwarding Rules.
7. 1:1 NAT Settings are used to map a public IP address to an Inside (LAN) IP address. A 1:1 NAT mapping can only be
configured with IP addresses that do not belong to the Edge. It can also translate outside IP addresses in different subnets
than the WAN interface address if the ISP routes traffic for the subnet towards the Edge. Each mapping is between one IP
address outside the firewall and one LAN IP address inside the firewall. Within each mapping, you can specify which ports
will be forwarded to the inside IP address. The ‘+’ icon on the right can be used to add additional 1:1 NAT settings.
21
3.5 CONFIGURE PROFILE OVERVIEW
Device Settings Business Policy Firewall
Previous 1 Next
NAME USED BY JUMP TO
Default Internet Network

5 Edges
Default Internet Network
Default VPN Network

0
DUNNEDWARD 1068.32
VPN Network - Adtran 5355

0
Profile to support Adtran 5355 when used as a Voice switch
Previous 1 Next
ADD PROFILE DUPLICATE PROFILE DELETE PROFILE
Profile Overview Device Business Policy Firewall
Name Default Internet Network
Description Default Internet Network
Profile Overview
Networks Services
Name VPN Network Dynamic Multi-Path Optimization Off
Business Policy TBD rules

Addressing Type Non Overlapping Addresses
Firewall TBD outbound rules
Corporate Addresses & VLANs
BGP On
Network 10.0.0.0.8
OSPF On
Assignable VLANs 6
Cloud VPN On
Edges 16
Application Recognition Off

Quest Addresses & VLANs
Identity Off
Network 192.564.4.2.64
Wireless On
Assignable VLANs 5
B02 1x Off
Edges 32
SNMP Off
Neoflow Off
ADD PROFILE
22
1. The color-coded icons will link you directly to the configuration areas for Device, Business Policy and Firewall. An icon
color of “Gray” in one of the configuration columns, indicates all the rules in place are based on the “Default Profile”
settings, any other color means at least one rule override is in place
2. A Profile Overview page is display that provides a quick summary of all Networks and Services that are defined in the
profile. The overview is divided into two categories (Networks and Services). After all settings have been entered for the
Profile Device, Business Policy, and Firewall pages, the Profile Overview page should reflect the configurations you have
performed.
3. Networks has the name of the Network configuration used, the type of addressing, and the Network addresses and
VLANs assigned to the Corporate and Guest networks.
4. Services has a summary of the services provided by the Windstream SD-WAN system.
3.6 CONFIGURE PROFILE DEVICE
Network Settings
Network VPN Network
Assignable VLANs Change...
Management VLANs Change...
Select Management VLANs Select Management VLANs
All VLANs (Recommended) All VLANs (Recommended)

All VLANs will be assigned a management IP address All VLANs will be assigned a management IP address
Customize Customize
Only selected VLANs will be assigned a management IP address Only selected VLANs will be assigned a management IP address
Available Corporate VLANs Selected VLANs Max 8
1 - Corporate >
<
>>
<<
HELP OK Cancel HELP OK Cancel
Device Settings
Virtual Edge Edge 1000 Edge 5X6 Edge 560
23
Edge500
Interface Settings ADD WIFI SSID
Switch Port Settings Routed Interface Settings
Actions Interface Mode VLANs Addressing WAN Overlay
LAN1 Trunk All
LAN2 Access 7 - Corp Office
INTERNET1 1 - Corporate DHCP Auto Detect
INTERNET2 1 - Corporate DHCP Auto Detect
USB1 DHCP Disabled
WifiSSID (disabled) Wifi 7 - Corporate Office
Wi-Fi Radio Settings
Radio Enabled:
Country: United States

Band: 2.4 GHz 5 GHz
Channel: 149
DNS Settings
Private DNS:
DNS Internal Primary -
DNS Internal Secondary - +
Public DNS: DNS Public
Edge500: LAN1 CLOSE
Interface: LAN1
Any
Interface Enabled:
Capability: Switched
Mode: Trunk Post
VLANs: All
7 - Corporate Offsite
19 - Corp Failover
1 - Corporate
Untagged VLAN: Drop Untagged
L2 Settings
Autonegotiate:
Speed: 100 Mbps
Duplex: Full duplex
MTU: 1500
CANCEL SAVE
24
Edge 500: INTERNET 1 Edge 500: WLAN1
Interface: INTERNET1 Interface: WLAN1
Interface Enabled Interface Enabled
Capability Routed VLAN 1 - Corporate
Addressing Type DHCP
SSID vc-wifi
Static/PPPoE addressing details must be configured individually per edge.
Broadcast
WAN Overlay Auto-Detect Overlay
Security WPA2 / Personal
OSPF OSPF Not Enabled
Passphrase ••••••••••
NAT Direct Traffic
Use Captive Web Portal (disclaimer only)
L2 Settings
Autonegotiate
* MTU 1500
Update INTERNET1 Cancel Update WLAN1 Cancel
1. The device settings tab is used to select a Network, assign VLANs, configure Wired and Wired LAN connections and
configure DNS settings. Device configuration allows you to associate a Network configuration with a Profile, configure
Interfaces, and choose Network Services to be associated with a Profile. Choosing a Network and selecting Network
Services can be performed from drop-down lists on this tab page.
2. This is the Network associated with the Profile, the list of Assignable VLANs, and the list of Management VLANs using the
Network Settings section of the Device tab page.
3. The Select Assignable VLANs dialog is used to select the VLANs that will be supported by this Profile.
4. For the Management VLANs in a typical corporate VLAN definition, two IP addresses are preallocated. The first IP address
in the subnet is assigned to address the subnet and the second IP address is used for a management function (such as
Ping). These values can be seen and modified in the Subnet Addressing section of the Edge device tab. The default is “All
VLANs will be assigned a management IP address.”
5. For VLAN definitions where the number of IP addresses must be tightly controlled, the creation of the Management IP
address can be suppressed by customizing which VLANs have a Management IP address. The Select Management VLANs
dialog is used to select which of the available corporate VLANs will be assigned a Management IP address (all VLANs in
the Selected VLANs) list in the screen capture below. If you customize the list of VLANs, new VLANs that you add are not
given a Management IP address. If you want a new VLAN to have a Management IP address, you will need to add the new
VLAN to the list of Selected VLANs via the Select Management VLANs dialog.
6. Device Settings allows you configure the Interface Settings for one or more Edge models in a profile. Depending on the
Edge Model, each interface can be a Switch Port (LAN) interface or a Routed (WAN) Interface. Depending on the Branch
Model, a connection port is a dedicated LAN or WAN port, or ports can be configured to be either a LAN or WAN port.
Branch ports can be Ethernet or SFP ports. Some Edge models may also support wireless LAN interfaces. It is assumed
that a single public WAN link is attached to a single interface that only serves WAN traffic. If no WAN link is configured for
a routed interface that is WAN capable, it is assumed that a single public WAN link should be automatically discovered.
If one is discovered, it will be reported back and this auto-discovered WAN link can then be modified and the new
configuration pushed back to the branch.
7. Actions you can perform on the network interface, such as Edit or Delete.
8. The Interface name. This name matches the Edge port label on the Edge device or is predetermined for wireless LANs.
25
9. The list of Switch Ports with a summary of some of their settings (such as Access or Trunk mode and the VLANs for the
interface). Switch Ports are highlighted with a light yellow background.
10. The list of Routed Interfaces with a summary of their settings (such as the addressing type and if the interface was
auto-detected or has an Auto Detected or User Defined WAN overlay). Routed Interfaces are highlighted with a light blue
background.
11. The list of Wireless Interfaces (if available on the Edge device). You can add additional wireless networks by clicking the
Add Wi-Fi SSID button. Wireless Interfaces are highlighted with a light gray background. Note: Wi-Fi is an optional service,
to add Wi-Fi to your existing service(s) Please contact your Account Executive.
12. You can configure Edge device LAN interfaces as Access Ports where you can choose a VLAN for the port and select L2
Settings for Autonegotiate (selected by default), Speed, Duplex type, and MTU size (default 1500). You can also configure
Edge device LAN interfaces as Trunk Ports where you can choose VLANs for the port, how Untagged VLAN data is
handled (routed to a specific VLAN or Dropped) and select L2 Settings for Autonegotiate (selected by default), Speed,
Duplex type, and MTU size (default 1500).
13. WAN interfaces can be “Routed” (where the routing process is done between two networks using IP addresses) or
“Switched” (In switching packets are transferred from source to destination using MAC address. Switching is done
within the network). You can also choose Addressing Type (DHCP, PPPoE, or static), a WAN Overlay (Auto-detect, or User
Defined), enable OSPF, enable NAT Direct Traffic, and select L2 Settings for Autonegotiate (selected by default), Speed,
Duplex type, and MTU size (default 1500).
14. Initially two Wi-Fi networks are defined for the Edge; one as a “Corporate” network and one as a “Guest” network that is
initially disabled. Additional wireless networks can be defined, each with a specific VLAN, SSID, and security configuration.
Note: Wi-Fi is an optional service, to add Wi-Fi to your existing service(s) Please contact your Account Executive.
15. Security for your Wi-Fi connections can be one of three types:
• Open: No security is enforced.
• WPA2 / Personal: A password is used to authenticate a user.
• WPA2 / Enterprise: A server is used to authenticate a user. In this scenario, a Server must be configured in Network
Services and the Server must be selected in the Profile Authentication Settings on the Device page. The default
settings for Security can also be overridden on the Edge Device page.
16. The Wi-Fi radio Settings determine if the Wi-Fi radio is enabled, selects the country where the Edge is located, selects
the band of the Wi-Fi radio, and the channel used by the Wi-Fi network. If a specific country is selected, a specific Wi-Fi
channel can be selected. Note: Wi-Fi is an optional service, to add Wi-Fi to your existing service(s) Please contact your
Account Executive.
17. The Device DNS Settings allow you to specify which Network Services DNS Service will be used.
26
3.7 CONFIGURE PROFILE BUSINESS POLICY
ADD RULE IMPORT DELETE RULE
Enlarge
Match Action
Rule Source Destination Application Net. Service Link Priority
1 Speed test Any Protocol: TCP speedtest Multi-Path Auto High

(File Sharing)
2 VeloCloud Any Any All VeloCloud Direct Auto Normal
3 LogMain Remote
Any Any LogMain (Remote Direct Auto Normal + x
Desktop)
4 Netflow Management Any Any Cusco NetFlow Multi-Path Auto Normal

(Mangement)
5 Default-Internet-UDP Ports: 5800 Protocol: UDP All Web Multi-Path Manadatory: Normal
Private Wired
VLAN: 7 - Corp IP: Any Direct Auto Low

6 Management Offsite 192.456.2.0/34
SAVE CHANGES
Rule Name: Rule Name Rule Name: Rule Name
Match Match
Source: Any Define... Source: Any Define...
None Destination: Any Define...
VLAN Application: Any Define...
Ports Ex. 10.0.2.0.24 Action

Operating System
Priority: High Normal Low
Destination: Any Define... Rate Limit
IP Address: Ex. 10.0.2.0.24 Network Service: Direct Multi-Path

Hostname: Ex: domain.com Link Steering: Auto Transport Group Interface WAN Link
Protocol: Select Inner Packet DSCP Tag: Leave as is
Ports: Ex. 10.0.2.0.24 Outer Packet DSCP Tag: 0 - CS0/DF
NAT: Disabled Enabled

Service Class: T Time Transactional Bulk
Help OK Cancel Help OK Cancel
27
1. Based on the business policy configuration, SD-WAN examines the traffic being used, identifies the Application behavior,
the business service objective required for a given app (High, Med, or Low), and the Edge WAN Link conditions. Based on
this, the Business Policy optimizes Application behavior driving queuing, bandwidth utilization, link steering, and the
mitigation of network errors.
2. A number of rules are predefined and you can add your own rules to customize your network operation. Rules are
listed in order of highest precedence. Network traffic is managed by identifying its characteristics then matching the
characteristics to the rule with the highest precedence. You can move your configured rules up or down in the list of
rules to establish precedence by hovering over the numeric value at the left side of the rule and moving the rule up or
down. If you hover over the right side of a rule, click the – (minus) sign next to the rule to remove it from the list or the +
(plus) sign to add a new rule.
3. You can select Match choices for network traffic based on the Source of the traffic, the Destination of the traffic, and or
the type of Application that generated the traffic. Given a match, the Actions defined in the lower part of the dialog for
the rule will be applied. For each of the Match selections, the option “Any” is used to designate any traffic from a source,
destination, or application. If the Match Source “Define” option is chosen, the source traffic can be narrowed to a specific
VLAN, an IP Address, a Port, an Operating System or any combination of the selections.
4. If the Match Destination Define option is chosen, additional parameters can be specified to identify traffic destination
(see the following screen capture). The destination can be first narrowed to a type (Any, Internet, Edge, or Non-SD-WAN
Site). The destination can then be furthered defined by specifying an IP Address, Hostname, Protocol (GRE, ICMP, TCP, or
UDP), and a port. Match Destination options are particularly useful if the same traffic match pattern needs to be assigned
different QoS values depending on the route taken. As an example, you may want to assign a higher priority to traffic
destined to a SD-WAN Site versus regular cloud-based internet traffic. This can be easily achieved using the Destination
configuration value.
5. If the Match Application Define option is chosen, applications can be chosen first by category then by specific
application. In addition, a DSCP value can be specified to match traffic coming in with a preset DSCP/TOS tag. Depending
on your Match choices, some Actions may not be available. For example, if All Applications is chosen, Network Service
and Link Actions are grayed out and are not available for selection.
6. The Action “Priority” parameter allows traffic to categorize as High, Normal, or Low. Percentage Rate Limits can also be
applied in both the Outbound and Inbound direction.
7. The Action “Network Service” parameter can be set to Direct or Internet Multi-path. The Direct option explicitly sets
the traffic to be sent to the destination directly, bypassing the SD-WAN Gateway - this option is only applicable for
Destination = Internet. The Internet Multi-path option explicitly marks the traffic to be sent over the SD-WAN Gateway
utilizing the benefits of per packet link steering, multipath redundancy, and error-correction.
8. The Action “Link Steering” parameter can be set to by Service Group, by Interface, or by WAN Link. A Transport Group
represents WAN links bundled together based on similar characteristics and functionality. Defining a Transport Group
allows business abstraction so that similar policy can apply across different Hardware types. For the “Transport Group”
option, you select the Transport Group type of All, Public Wired, Public Wireless, or Private Wired. This option is allowed at
both the Edge override level and Profile level.
• “Mandatory” indicates that traffic will be sent over the WAN link or link Service-group specified. If the
link specified (or all links within the chosen service group) is inactive or if a multi-path gateway route is
unavailable, the corresponding packet will be dropped.
• “Preferred” indicates the traffic should preferably be sent over the WAN link or link Service-group specified.
If the link specified(or all links within the chosen service group) is inactive or if the multipath gateway route
28
chosen is unstable or if the link Service Level Objective (SLO) is not being met, the corresponding packet
will be steered on the next best available link. If the preferred link becomes available again, traffic will be
steered back to the preferred link.
• “Available” indicates the traffic should preferably be sent over the WAN link or link Transport group specified
as long as it is available (irrespective of link SLO). If the link specified (or all links within chosen service
group) are not available or if multi-path gateway route chosen is unavailable, the corresponding packet
will be steered to the next best available link. If the preferred link becomes available again, traffic will be
steered back to the available link.
9. You can configure Policy Based NAT for both Source and Destination. The NAT can be applied to either Non-SD-WAN
Site traffic or Internet traffic using Multi-Path. When configuring NAT, you must define which traffic to NAT and the action
you want to perform. There are two types of NAT configuration: Many to One and One-to-One.
10. The Service Class parameter can be set to Real-time (time sensitive traffic), Transactional, or Bulk. This option is only
for custom application. SD-WAN Apps/Categories fall in one of these categories.
3.8 CONFIGURE PROFILE FIREWALL
Firewall Enabled Logging Enabled
Outbound Firewall Rules ADD RULE IMPORT DELETE RULE
Enlarge
Match Action
Rule Source Destination Application Action
1 AllowAny Any Any Any Allow
2 DenyAll Any Any Any Deny
3 Business Apps Any Any All Business Application Allow and log + x
4 Email Ports: 754 VLAN 1 - Corp All Email Allow

Protocol - TCP
5 CorpVPN VLAN 1 - Corp IP: 192.345.1.0/21 SSL (Tunneling and VPN) Allow
Protocol - TCP
6 Netflow MAC: 32.34.af Any Cisco NetFlow (Management) Allow and log + x
Ports: 8948 30 + AF33
29
Rule Name: Rule Name
Match
None
VLAN
Ports Ex. 10.0.2.0.24
Destination: Any Define...
None
VLAN
Protocol
Ports Ex. 10.0.2.0.24
Help OK Cancel
1. Firewall rules are used to configure Allow or Deny Access Control List (ACL) rules. The rules are used to determine
what traffic is allowed between VLANs or out from the LAN to the Internet. The rules can be based on applications,
application categories, source IP address/port, destination IP address/port, DSCP tags or protocol. Network traffic is
managed by identifying its characteristics then matching the characteristics to the rule with the highest precedence.
Note that Firewall function can be disabled using the Firewall Enabled switch. This page allows you to define Outbound
Firewall Rules and Edge Access. Inbound rules must be defined at each Edge.
2. Using the dialog, you can select Source, Destination, and Application characteristics to match. You can use the
parameters to finely select where you want the Firewall rule to be applied. Given a match, the Firewall action defined
in the rule will be applied. Note: When a Deny action is detected by the firewall, an Event is generated. The event can
be seen in the list of events using Monitor>Events. When a Deny and Log action is detected, the Firewall logs the event
locally.
value at the left side of the rule and moving the rule up or down. If you hover over the right side of a rule, you click the –
(minus) sign next to the rule to remove it from the list or the + (plus) sign to add a new rule.
4. Mac Address Filtering is a Source option available in the Match area of the dialog box shown below. You can use
the Mac Address feature when you want a filtering rule to apply to a specific client no matter what subnet the client is
associated with. (The filtering rule is independent of the client’s subnet). To enable this filter, choose the Mac Address
radio button, type in the Mac address, and click the OK button.
30
3.9 CONFIGURE NETWORK
NEW NETWORK DELETE NETWORK DUPLICATE NETWORK
NAME USED BY ADDRESS TYPE ADDRESS SPACE VLANS
VPN Network 3 edges Non Overlapping 10.0.0.0/8 6

2 profiles Addresses 193.432.5.3/64 5
Internet Network 1 edge Overlapping Addresses 10.0.0.0/8 1

0 profiles 194.567.3.5/32 1
VPN Network-VOIP 2 edges Non Overlapping 10.0.0.0/8 1

This is a description for a network. There can be more here. 1 profile Addresses 354.432.4.6/32 1
Name: VPN Network
Description:
SAVE CHANGES
Address Type: Non Overlapping Addresses
Corporate Networks (addresses and VLANS)
Address Space: 10.0.0.0/8 NEW DELETE

VLANS
Edges: 16 DHCP Static DHCP DHCP
Name VLAN ID Type Addresses Addresses Options
Address/Edge: 1048576
Corporate 1 enabled 10 245 2
Edge Prefix: 12 Management 3 enabled 10 245 2
VLANs/EDGE: 8 Corp Offsite 7 enabled 10 245 2

Office-East 13 enabled 10 245 2
Office-West 14 enabled 10 245 2
Corp Failover 19 enabled 10 245 2
Guest Networks (addresses and VLANS)
Address Space: 192.567.2.6/22 NEW DELETE

VLANS
Edges: 32 DHCP Static DHCP DHCP
Name VLAN ID Type Addresses Addresses Options
Address/Edge: 32
Guest 64 enabled 10 245 1
Edge Prefix: 27 Visitor-1 65 enabled 10 245 0
VLANs/EDGE: 4 Visitor-2 66 enabled 10 245 0

GuestBackup 67 enabled 10 245 0
New VLAN...
VLAN
* VLAN Name
* VLAN ID 2
DHCP
31
Type Enabled Relay Disabled
Edge Prefix: 27 Visitor-1 65 enabled 10 245 0
VLANs/EDGE: 4 Visitor-2 66 enabled 10 245 0

GuestBackup 67 enabled 10 245 0
New VLAN...
VLAN
* VLAN Name
* VLAN ID 2
DHCP
Type Enabled Relay Disabled
Lease Time: 1 hour
DHCP Options: Option Code Data Type Value
add an option
HELP Add VLAN Cancel
1. Networks are standard configurations that define network address spaces and VLAN assignments for Edges. Networks
configure two network types: Corporate (or trusted networks) and Guest (or untrusted networks). Multiple Corporate and
Guest Networks can be defined. VLANs can be assigned to both Corporate and Guest Networks.
2. Corporate Networks can be configured with either Overlapping Addresses or Non-overlapping Addresses. With
overlapping addresses, all Edges using the Network have the same address space. Overlapping addresses are associated
with non-VPN configurations. Guest networks always use overlapping addresses.
3. With non-overlapping addresses, an address space is divided into blocks of an equal number of addresses. Non-
overlapping addresses are associated with VPN configurations. The address blocks are assigned to Edges that use
the Network so that each Edge has a unique set of addresses. When using non-overlapping addressing, SD-WAN
automatically allocates blocks of addresses based on the maximum number of Edges you predict will use the Network
configuration.
4. For Corporate Networks the address space was set in a previous step when you create the network space and will
be distributed across the number of Edges chosen using the Allocation slider. You can specify the number of Edges,
the Addresses/Edge, and the Edge Prefix. The Allocation slider help you choose these values by calculating the values
when all addresses are assigned across the number of Edges. This is the built-in IPAM IP address management for Edges
to allocate LAN side subnet behind the Edge. Once a Network is assigned to an Edge, it is not possible to change the
Address Space Allocation. The number of Edges is the maximum number of Edges that will ever be deployed using this
Network. The Addresses/Edge defines the size of the address space for each Edge.
5. You can define as many VLANs as you like for the Corporate Network but the Max VLANs value specifies the maximum
number you can specify for use in a Profile or Edge. Click the New button to create a new VLAN where you can configure
the VLAN Name, VLAN ID, and the DHCP configuration.
6. After you configure the VLAN Name and VLAN ID you choose DHCP type of Enabled, Relay, or Disabled:
• Enabled: the Edge is the DHCP server - when choosing Enabled, you can add one or more DHCP options
where you specify predefined options or add custom options.
• Relay: the DHCP is at a remote location - If you choose DHCP type of Relay, you can specify the IP address
of one or more Relay Agents.
32
• Disabled: the DHCP is incapacitated - If the DHCP type of Disabled is chosen, IP addresses are not
provided by DHCP for this VLAN.
7. The Guest Network is an untrusted network that always uses an overlapping address space. It is completely segmented
and on separate VRF as compared to corporate network. The Guest Network section (see screen capture below) defines
the Address Space. You can define as many VLANs as you like for the Guest Network, but the Max VLANs value specifies
the maximum number you can use in a Profile or Edge.
3.10 CONFIGURE NETWORK SERVICES
DNS Services NEW DELETE
NAME TYPE ADDRESS TYPE USED BY
DNS Private Private Primary: 193.543.1.1 0

Backup: none
DNS Public Public Primary: 129.446.1.2 0

Backup: 129.34.2.5
Google DNS Public Primary: 8.8.8.8 0

Backup: 8.8.4.4
Public Primary: 16.3.5.1 0

DNS Internal Primary
Backup: none
DNS Private
Type: Private
Server Details
Name: DNS Private
Primary Server: 192.158.1.1
Primary Server: Ex: 54.124.5.789
Private Domains
sub.dd.com Description
CANCEL SAVE
33
1. Network Services for SD-WAN allows you to define your Enterprise Network Services. These definitions can be used
across all Profiles. This includes services for DNS. The possible services are defined in Network Services but are not used
unless they are assigned in a Profile.
2. Domain Name Server (DNS) translates domain names into IP addresses. With the DNS service we can access websites
by only typing their alpha-numeric names (domain names) in the browser instead of their IP addresses. The DNS services
is an optional service that allows you to create a configuration for DNS. The DNS Service can be for a public DNS service
or a private DNS service provided by your company. A Primary and Backup server can be specified. The recommended
practice is to configure the primary and secondary DNS servers on separate machines, on separate Internet connections,
and in separate geographic locations (for the purpose of redundancy). The service is preconfigured to use Google and
Open DNS servers. For a private service, you can also specify one or more Private Domains.
34

SD WAN Admin Guide

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

SD WAN Admin Guide

Caricato da

Copyright:

Formati disponibili

Administrator User Guide

Product & Service Tools None View Manage Advanced

SD-WAN View SD-WAN Monitor

1.2 PERMISSION LEVEL NOTIFICATIONS

1.3 CONFIRMATION OF CONFIGURATION CHANGES

Past 60 Minutes Site 01

9.32 Kbps ↑ 753.00 Kbps 18 msec ↑ 18 msec 1 msec ↑ 1 msec 0% ↑ 0%

VeloCloud Control 9.01 MB

VeloCloud Management 1.85 MB

Top Operating Systems Top Sources

VeloCloud VeloCloud Edge

2.2 MONITORING QUALITY OF EXPERIENCE (QOE)

Past 60 Minutes Site 01

Network Enhancements QoE Score

Downstream latency reported at 26 msec.

RATING COLOR RATING OPTION DEFINITION

All metrics are better than the objective thresholds.

Some or all metrics are between the objective and maximum

Some or all metrics have reached or exceeded the maximum

2.3 MONITORING TRANSPORT

Past 60 Minutes Site 01

Average Throughout Links

Download as Excel (.csv) GO

Verizon Wireless INTERNET 3 (ETHERNET) 2.39 MB 2.37 Kbsp 2.56 Kbsp

Verizon Wireless INTERNET 3 (ETHERNET) 2.39 MB 2.37 Kbsp 2.56 Kbsp

LINK STAT ITEM DEFINITION

Past 60 Minutes Site 01

Bytes Received / Sent Applications

APPLICATION CATEGORY TOTAL BYTES BYTES RECEIVED BYTES SENT

VeloCloud Control VeloCloud 15.41 GB 5.95 GB 9.46 GB

Google Web 5.78 GB 5.46 GB 311.40 MB

Microsoft Office 365 Business Collaboration 5.81 GB 4.56 GB 1.28 GB

Top Applications by Bytes Received / Sent CLOSE 

Top Source Devices

2.5 MONITORING SOURCES

Past 30 Minutes Site 01

Bytes Received / Sent

Download as Excel (.csv) GO

Lauren’s Phone 10.0.0.231 IOS Smart Phone/Tablet 38.89 MB 36.55 MB 2.34 MB

Mark’s Phone 10.0.0.211 IOS Smart Phone/Tablet 821.92 KB 774.87 KB 73.56 KB

Top Sources by Bytes Received / Sent CLOSE 

Mark’s Phone 10.0.0.211 IOS Smart Phone/Tablet 821.92 KB 774.87 KB 73.56 KB

Top Sources by Bytes Received / Sent CLOSE 

Past 30 Minutes Site 01

DESTINATION TOTAL BYTES BYTES RECEIVED BYTES SENT

velocloud.net 17.43 GB 7.04 GB 10.43 GB

expertcity.com 5.39 GB 4.31 GB 1.46 GB

google.com 5.94 GB 4.04 GB 1.66 GB

technologies.com 2.38 GB 2.55 GB 130.62 MB

Top Destinations by Bytes Received / Sent CLOSE 

Top Operating System

2.7 MONITORING BUSINESS PRIORITY

Past 60 Minutes Site 01

PRIORITY DOWNSTREAM (BPS) UPSTEAM (BPS)

High 33.43 Mbps 32.81 Mbps

Normal 86.43 Mbps 29.51 Mbps

Low 0 Bps 0 Bps

Control 14.18 Mbps 23.08 Mbps

TestEdge 01 Default Internet Network Activated Edge500 VC00002008

TestEdge 02 Default VPN Network Activated Edge1000 VC00003948

TestEdge 03 VPN Network - Adtran 5355 Activated Edge500 VC00003958

TestEdge 04 VPN Network - Adtran 6355 Activated Edge 340 VC00002954

Network: VPN Network

Device Settings: Edge 500

Top Applications by Bytes Received / Sent CLOSE

Top Sources by Bytes Received / Sent CLOSE

Top Sources by Bytes Received / Sent CLOSE

Top Destinations by Bytes Received / Sent CLOSE

2 Offsite remote VLAN: 7 - Corp Any Any Direct Preferred: Normal + x

Edit Rule CLOSE Edit Rule CLOSE

1 App Engine Ports: 40-049 Any Google App Engine Allow

3 Streaming Music Any VLAN 1 - Corp AllMusic (Media) Deny