SD-WAN Typical Deployment Examples

SD-WAN
Typical Deployment Examples
Issue 03
Date 2021-04-12
HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2021. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees
or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: https://e.huawei.com
Issue 03 (2021-04-12) Copyright © Huawei Technologies Co., Ltd. i

SD-WAN
Typical Deployment Examples Contents
Contents
1 Building an SD-WAN Network............................................................................................. 1

1.1 Introduction to Building an SD-WAN Network............................................................................................................ 1
1.2 Standard SD-WAN Networking Solutions...................................................................................................................... 4
1.3 Creating SD-WAN Sites and Configuring ZTP............................................................................................................... 8
1.3.1 Full-Mesh Networking (Single Hub and Co-deployed RR)................................................................................... 8
1.3.2 Hub-Spoke Networking (Dual Hubs and Co-deployed RR)............................................................................... 30
1.3.3 Multi-Area Hierarchical Networking...........................................................................................................................60
1.3.4 Multi-Tenant Networking............................................................................................................................................. 100
1.3.5 Building an SD-WAN Network with 5G Links as Backup Links...................................................................... 144
1.3.6 Building a Hierarchical SD-WAN Network Using Multiple Sub Interfaces for Interconnection.......... 166
1.3.7 Building a Multi-Hub SD-WAN Network Using the Hub-Spoke Topology................................................. 217
1.3.8 Connecting Sites to an MPLS Backbone Network Through Gateways.........................................................239
1.4 Configuring WAN-side Routes for Sites (Underlay Network).............................................................................291
1.4.1 Configuring BGP and Static Routes.......................................................................................................................... 291
1.5 Configuring Multi-VPN Isolation................................................................................................................................... 301
1.5.1 Configuring Multiple VPNs.......................................................................................................................................... 301
1.6 Configuring LAN-side Interfaces for Sites (Overlay Network)........................................................................... 304
1.6.1 Configuring Interconnection Between VLANs and LAN-side Networks.......................................................304
1.7 Configuring LAN-side Routes for Sites (Overlay Network)................................................................................. 310
1.7.1 Configuring LAN-side OSPF Routes.......................................................................................................................... 310
1.8 Configuring Intelligent Traffic Steering...................................................................................................................... 316
1.8.1 Configuring a Link Quality-based Traffic Steering Policy................................................................................. 316
1.8.2 Configuring a Load Balancing-based Traffic Steering Policy...........................................................................322
1.8.3 Configuring a Traffic Steering Policy for Congestion Avoidance....................................................................330
1.9 Configuring a Site-to-Internet Policy........................................................................................................................... 338
1.9.1 Configuring Centralized Internet Access Through LAN-side Internet Links of Hubs...............................338
1.9.2 Configuring Centralized Internet Access Through WAN-side Internet Links of Hubs.............................340
1.9.3 Configuring Hybrid Internet Access Through Local Internet Links and LAN-side Links of Hubs........343
1.10 Configuring a Site-to-Legacy Site Policy.................................................................................................................. 346
1.10.1 Configuring Communication Between SD-WAN Sites and Legacy Sites in Centralized Access Mode
......................................................................................................................................................................................................... 346
1.10.2 Configuring Communication Between SD-WAN Sites and the Legacy Site in Hybrid Access Mode
......................................................................................................................................................................................................... 349
1.11 Configuring a QoS Policy.............................................................................................................................................. 353
Issue 03 (2021-04-12) Copyright © Huawei Technologies Co., Ltd. ii

SD-WAN
Typical Deployment Examples Contents
1.11.1 Configuring Preferential Transmission of HTTP Services from Branch Sites to Hub Sites.................. 353
1.12 Configuring an ACL Policy (Overlay Network)...................................................................................................... 357
1.12.1 Forbidding Access to YouTube During Working Hours....................................................................................357
1.12.2 Denying Access of Non-site Network Segments to Port 445........................................................................363
1.13 Configuring a Security Policy....................................................................................................................................... 368
1.13.1 Configuring a URL Filtering Security Policy for a Site..................................................................................... 368
1.14 Configuration Examples................................................................................................................................................. 370
1.14.1 Example for Building an SD-WAN Network for an Enterprise Tenant.......................................................370
2 Site Deployment.................................................................................................................. 426

2.1 USB-based Deployment................................................................................................................................................... 426
2.2 Email-based Deployment................................................................................................................................................ 433
2.3 DHCP Option-based Deployment................................................................................................................................. 444
3 Faulty CPE Replacement....................................................................................................457

3.1 Replacing Dual Faulty CPE Gateways..........................................................................................................................457
Issue 03 (2021-04-12) Copyright © Huawei Technologies Co., Ltd. iii

SD-WAN
Typical Deployment Examples 1 Building an SD-WAN Network
1 Building an SD-WAN Network
1.1 Introduction to Building an SD-WAN Network

1.2 Standard SD-WAN Networking Solutions
1.3 Creating SD-WAN Sites and Configuring ZTP
1.4 Configuring WAN-side Routes for Sites (Underlay Network)
1.5 Configuring Multi-VPN Isolation
1.6 Configuring LAN-side Interfaces for Sites (Overlay Network)
1.7 Configuring LAN-side Routes for Sites (Overlay Network)
1.8 Configuring Intelligent Traffic Steering
1.9 Configuring a Site-to-Internet Policy
1.10 Configuring a Site-to-Legacy Site Policy
1.11 Configuring a QoS Policy
1.12 Configuring an ACL Policy (Overlay Network)
1.13 Configuring a Security Policy
1.14 Configuration Examples
1.1 Introduction to Building an SD-WAN Network

An SD-WAN network is designed based on the customer's network environment,
service and networking scenarios, site scale, and service requirements. Network
configurations are delivered through the iMaster NCE-WAN, and site deployment
is completed at the site. Figure 1-1 shows the procedure of configuring an SD-
WAN network on the iMaster NCE-WAN and deploying a site. For the detailed
procedure, see section 1.14.1 Example for Building an SD-WAN Network for an
Enterprise Tenant.
Issue 03 (2021-04-12) Copyright © Huawei Technologies Co., Ltd. 1

SD-WAN
Figure 1-1 SD-WAN network configuration procedure

SD-WAN
The procedure of configuring a new SD-WAN network consists of multiple steps,

each of which consists of a set of configurations. Typical configuration examples
for each step are provided in this chapter. Based on these examples, an SD-WAN
network can be configured to fulfill different networking and service requirements,
as Table 1-1 shows the example.
Table 1-1 Configurations in typical scenarios

Configuration Procedure Configuration example
Step 1 Create SD-WAN sites 1.3.1 Full-Mesh Networking

and configure ZTP. (Single Hub and Co-deployed
RR)
Step 2 Configure WAN-side 1.4.1 Configuring BGP and

routing in the underlay Static Routes
network of sites.
Step 3 Configure multiple 1.5.1 Configuring Multiple VPNs

VPNs.
Step 4 Configure LAN-side 1.5.1 Configuring Multiple VPNs

interfaces on the
overlay network of
sites.
Step 5 Configure LAN-side 1.7.1 Configuring LAN-side

routing for the overlay OSPF Routes
network of sites.
Step 6 (Optional) Configure 1.8.1 Configuring a Link

intelligent traffic Quality-based Traffic Steering
steering. Policy
Configure a site-to- 1.9.1 Configuring Centralized

Internet policy. Internet Access Through LAN-
side Internet Links of Hubs
Configure a site-to- 1.10.1 Configuring

legacy site policy. Communication Between SD-
WAN Sites and Legacy Sites in
Centralized Access Mode
(Optional) Configure a 1.11.1 Configuring Preferential

QoS policy. Transmission of HTTP Services
from Branch Sites to Hub Sites
(Optional) Configuring 1.12.1 Forbidding Access to

an ACL Policy (Overlay YouTube During Working Hours
Network)
(Optional) Configure a 1.13.1 Configuring a URL

security policy. Filtering Security Policy for a
Site
Step 7 Deploy sites. 2.2 Email-based Deployment

SD-WAN
1.2 Standard SD-WAN Networking Solutions

The SD-WAN Solution provides multiple networking modes with different
characteristics to meet customers' requirements in various scenarios with different
site scales and networking characteristics.
Full-Mesh Networking (Single Hub and Co-deployed RR)
● Two gateways are deployed in a DC as hub nodes, which also function as RR

nodes.
● One or two gateways can be deployed at a branch site.
● The hub-spoke networking is supported between sites. That is, branch sites
can directly communicate with the HQ and DC, but cannot directly
communicate with each other.
● The full-mesh networking is also supported between sites. That is, branch
sites can directly communicate with the HQ, DC, and other branch sites.

SD-WAN
Hub-Spoke Networking (Dual Hubs and Co-deployed RR)
● Two gateways are deployed at the HQ and DC respectively as hub nodes,

which also function as RR nodes.
● One or two gateways can be deployed at a branch site.
● The hub-spoke networking is supported between sites. That is, branch sites
can directly communicate with the HQ and DC, but cannot directly
communicate with each other.
● The full-mesh networking is also supported between sites. That is, branch
sites can directly communicate with the HQ, DC, and other branch sites.

SD-WAN
Multi-Area Hierarchical Networking (Co-deployed RR)
Some large enterprises use the hierarchical networking architecture that consists
of the HQ, regional centers, and branches. Service traffic from branches is
aggregated to the regional centers. In such cases, the multi-area hierarchical
networking can be used.
● Sites are divided into multiple areas. Two DCs function as hub sites. The hub
sites and branch sites are divided into one area, and regional centers and
branch sites are divided into different areas.
● Two gateways are deployed at each hub site. The hub sites also function as
RR sites. Two gateways are deployed at each regional center. One or two
gateways can be deployed at each branch site.
● The hub-spoke or full-mesh networking is supported between sites in the
same regional center.

SD-WAN
Multi-Tenant Networking (Co-deployed RR)
Some large enterprises have a large number of widely distributed branch sites. To
facilitate domain[d(1)] -based management and future site expansion, branch
sites can be divided and managed by different tenants.
● Two gateways are deployed at each hub site of all tenants. The hub sites also
function as RR sites.
● One or two gateways can be deployed at each branch site.
● The tenants communicate with each other through routes advertised on the
LAN side of the DC.
● The hub-spoke or full-mesh mode networking is supported between sites of
the same tenant.

SD-WAN
IWG Networking with RRs Deployed by an MSP and Tenant Sites Connected
to an MPLS Backbone Network Through Gateways
An MSP deploys gateway sites to provide IWG services for tenants, so that tenant
sites can access the MSP's MPLS backbone network to implement efficient service
transmission.
● The MSP deploys gateway and RR sites. The gateway and RR sites must be
connected to SD-WAN transport networks so that all tenant sites can access
the gateway and RR sites.
● The gateways can access the MPLS backbone network using the Option A or
Option B solution.
● Tenant sites in different areas can communicate with each other through the
gateways.
● SD-WAN sites can communicate with legacy sites through the gateways.
1.3 Creating SD-WAN Sites and Configuring ZTP
1.3.1 Full-Mesh Networking (Single Hub and Co-deployed RR)

Related Products
The products used in this case run the following software versions. The actual
configurations may vary in other versions. For details, see the product deployment
guide of the corresponding versions.
iMaster NCE-WAN: V100R019C10SPC201
AR: V300R019C10SPC300
Networking Requirements
Enterprise A has a DC and multiple branches. An SD-WAN network needs to be set
up to replace the enterprise's legacy network. The DC functions as the

SD-WAN
headquarters site, and the gateway at the headquarters site functions as the RR. A
branch site can use a single gateway or dual gateways and can directly
communicate with the headquarters site and the other branch sites. Some
branches can only use the enterprise's legacy network (the MPLS link is used on
the WAN side), and cannot be reconstructed into SD-WAN sites.
Solution Design
Figure 1-2 Enterprise networking
Based on customer requirements and the networking plan, perform the following
tasks:
1. On an enterprise's SD-WAN network, an RR uses the co-deployment mode.
The CPE at a tenant's edge site also function as an RR. Such a site is called an
edge-RR site. In this example, the headquarters site (Hub1) uses the edge-RR
site mode, and the branch sites (Site2 and Site3) use the edge site mode. The
legacy site, Site1, is not managed by the iMaster NCE-WAN. Therefore, it does
not need to be created on the iMaster NCE-WAN.
2. Hub1 functions as the headquarters site and poses high reliability
requirements. At Hub1, two CPEs are deployed as gateways, and each CPE
connects to both the Internet and MPLS network. Site2 uses a single CPE as
the gateway and connects to both the Internet and MPLS network. The
Internet link at Site2 obtains a dynamic IP address through PPPoE whereas
the other link is configured with a static IP address. Site3 uses two CPEs as
gateways, with one connected to the Internet and the other to the MPLS
network.
3. The Network Time Protocol (NTP) clock synchronization mechanism is used
to synchronize clocks on devices. The edge-RR site has NTP clock
synchronization configured to synchronize its clock with that of the NTP
server, whereas edge sites synchronize their clocks with that of the edge-RR
site.

SD-WAN
4. To enable direct communication between the headquarters and branches or

between branches, the overlay network uses the full-mesh topology.
Additionally, to enhance reliability of communication between branch sites,
configure Hub1 as a redirect site.
Data Plan
Table 1-2 Tenant information
Item Value
Tenant Name TenantA
Account [email protected]
Password PassA@1234
Table 1-3 Global network parameters
Item Value
Transport Network MPLS Internet
Routing Domain MPLS Internet
IPSec Encryption ON ON
Encryption algorithm AES256
Life time 1440
URL encryption key 123abc
Token validity period (day) 7
Password of User Admin test@123
AS number 65001
Community pool 100
IP pool 10.200.0.0/16
DNS Server IP 8.8.8.8
Table 1-4 Site template
Item Value
Template Hub Branch1 Branch2

name
Description - - -

SD-WAN
Item Value
Gateway Dual Gateways Single Single Gateway

Gateway
W Name MPL Interne MPL Internet MPL Inter MPL Internet

A S1 t1 S2 2 S net S
N
Lin Device Device1 Device2 Devi Devic Devic Device2
k ce1 e1 e1
Interfa GE3/ GE3/0/ GE3 GE3/0/1 GE0 GE0/ GE0/ GE0/0/3

ce 0/0 1 /0/0 /0/3 0/4 0/3
Overla ON ON ON ON ON ON ON ON
y
tunnel
Transp MPL Interne MPL Internet MPL Inter MPL Internet

ort S t S S net S
Netwo
rk
Role Activ Active Acti Active Acti Activ Activ Active

e ve ve e e
Int Reuse OFF - - OFF

er- LAN-
CP side L2
E interfa
Lin ce
k
VLAN 4000 - 4008 - - 4000 - 4008
ID
Device GE3/0/2 GE3/0/3 - - GE0/ GE0/0/2

1 0/1
Interfa
ce
Device GE3/0/2 GE3/0/3 - - G00/ GE0/0/2

2 0/1
Interfa
ce
Table 1-5 Information about devices

Device ESN Device Name Device Model
21021156411234500011 Hub1_1 AR6280
21021156411234500012 Hub1_2 AR6280
2102351UGG10J7000011 Site2_1 AR651U-A4

SD-WAN
2102351UGG10J7000012 Site3_1 AR651U-A4
2102351UGG10J7000013 Site3_2 AR651U-A4
Table 1-6 Site design and ZTP configurations at sites

Item Value
Site Hub1 Site2 Site3
RR ON OFF OFF
Conn - Hub1 Hub1

ect to
RR
Gate Dual Gateways Single Gateway Single Gateway

way
Site Hub Branch1 Branch2

temp
late
Devic Hub1_1 Hub1_2 Site2_1 Site3_1 Site3_2

e
Link MPL Inter MPL Intern MPLS Internet MPLS Internet

name S1 net1 S2 et2
VN unde unde und underl underl underlay underlay_1 underla

insta rlay_ rlay_ erla ay_2 ay_1 _2 y_2
nce 1 2 y_1
Interf IPoE IPoE IPoE IPoE IPoE PPPoE IPoE IPoE

ace
proto
col
IP Stati Stati Stat Static Static - Static Static

addre c c ic
ss
acces
s
mode
IP 172.1 10.1 172. 10.100 172.16 - 172.16.4.1/ 10.100.

addre 6.1.1 00.1. 16.2 .2.1/30 .3.1/30 30 4.1/30
ss/ /30 1/30 .
Subn 1/3
et 0
mask

SD-WAN
Item Value
Defa 172.1 10.1 172. 10.100 172.16 - 172.16.4.2 10.100.

ult 6.1.2 00.1. 16.2 .2.2 .3.2 4.2
gate 2 .2
way
PPPo - - - - - user@w - -
E eb.com
User
name
PPPo - - - - - Pass123 - -
E 4
Pass
word
Auth - - - - - CHAP - -
Type
Publi 172.1 10.1 172. 10.100 - - - -

c IP 6.1.1 00.1. 16.2 .2.1
1 .1
Nego Auto Auto Aut Auto Auto Auto Auto Auto

tiatio o
n
mode
NAT - - - - OFF OFF OFF OFF

STUN
Uplin 100 100 100 100 100 100 100 100

k
band
width
(Mbp
s)
Dow 100 100 100 100 100 100 100 100

nlink
band
width
(Mbp
s)
URL- ON ON ON ON ON ON ON ON
base
d
deplo
ymen
t

SD-WAN
Table 1-7 NTP information at edge-RR site
Item Value
Time zone (UTC+08:00)Beijing,Chongqing,Hong Kong,Urumqi
NTP authentication ON
Authentication ntp123
password
Authentication key id 456789
NTP client mode Manual Configuration
Device Hub1_1 Hub1_2
WAN Link MPLS1 Internet MPLS2 Internet2

1
NTP Server Address 10.10.1.1 10.10.1.1 10.10.1.1 10.10.1.1
Authentication OFF OFF OFF OFF
Table 1-8 NTP information about edge sites
Item Value
NTP authentication OFF
NTP client mode Automatic Synchronization with Parent Node
Table 1-9 Basic site information about the overlay network
Item Value
VN VPN1
IPSec Encryption ON
Site Name Hub1, Site2, Site3
Topology mode Full-mesh
Redirect sites Hub1
Procedure
Step 1 Log in to the iMaster NCE-WAN as a tenant administrator.
Step 2 Set global network parameters.

SD-WAN
1. Choose Design > Network Settings.

2. Select the source of RR.
3. Retain the system defaults MPLS and Internet for the transport network. No
additional configuration is required.
4. Set IPSec encryption parameters.
Select Encryption algorithm.
5. Configure device activation security.

Enter a URL encryption key, and set Token validity period.
6. Configure the password of the admin account.

SD-WAN
7. Click Apply.
8. Click Virtual Network. The Virtual Network page is displayed.
9. Configure a route.
Enter the AS number of the BGP route. The default value is 65001.
10. Add an address pool.
11. Add the DNS server IP address.

SD-WAN
12. Click Apply.
Step 3 Create site templates, which are used to configure site WAN links.
1. Choose Design > Network Template. On the Site Template page that is
displayed, click Create.
2. Enter the template information and click OK.
● Edge-RR site template
● Edge site template

SD-WAN
Step 4 Add devices in batches based on ESNs.

1. Choose Design > Devices Management. The Device Management page is
displayed.
2. Click Add Device and set Addition method to Batch import.
3. Click Template to download the template file.
4. Fill in the template with required information and save the file.
5. Click , select the configured template file, and click Upload.
6. Confirm the imported data, select the data to be created for CPEs, and click
OK.
Step 5 Create an edge-RR site and two edge sites.

1. Choose Design > Site Design.
2. On the Site page that is displayed, click Create.
3. Enter the site information.
4. Under Add Device, select the devices added in the previous step.
5. Click OK.
● Edge-RR site
● Edge sites

SD-WAN
Step 6 Configure ZTP for sites.

1. Configure WAN links for the edge-RR site.
a. Choose Provision > ZTP. The ZTP Configuration page is displayed.
b. In the site list on the left, click the created site. Choose the site template,
and the WAN Link page displays link information.
c. Click in the Operation column.

d. In the Set WAN Link dialog box that is displayed, configure WAN link
parameters of the site.
e. Click Apply to complete the WAN link configuration.

SD-WAN

SD-WAN

SD-WAN

SD-WAN
2. Configure NTP for the edge-RR site.

a. Click NTP.
b. On the NTP page that is displayed, select a time zone. Enter the NTP
information and click Apply to complete the NTP configuration.

SD-WAN
3. Configure WAN links for the edge sites.

Perform the same operations as those for the edge-RR sites to configure WAN
link parameters for the edge sites and click Apply.
– WAN link configuration for Site2

SD-WAN

SD-WAN

SD-WAN

SD-WAN
4. Configure NTP for the edge sites.

a. On the NTP page that is displayed, select a time zone.
b. Set NTP client mode to Automatic Synchronization with Parent Node.
c. Click Apply.

SD-WAN
Step 7 Configure the connection to the RR site.

1. Choose Provision > Connect to RR.
2. Select the edge sites and click Connect. On the Connect page, select the RR
site you want to connect and click Detect.
3. When Distribution Result is Successful, click OK.
Step 8 Complete the overlay network configuration for the sites.

1. Create a VN.
a. Choose Provision > Overlay Network.
b. On the Virtual Network page, click Create.

SD-WAN
c. Enter the VN name and select the site to be added to the VN.
d. Click Apply.
2. Configure the overlay network topology.

b. On the Topology page, select the VN to be configured.
c. On the Predefine Topology page, set Mode and Topology mode, and
select the site to be added to the topology.
d. Click Apply.
----End
1.3.2 Hub-Spoke Networking (Dual Hubs and Co-deployed

RR)
Related Products
AR: V300R019C10SPC300
Enterprise A has a headquarters, a DC, and multiple branches. An SD-WAN
network needs to be set up to replace the enterprise's legacy network. The
gateway at the headquarters site functions as the RR. To enhance reliability, the
DC functions as a backup of the headquarters site. When the headquarters site is

SD-WAN
unavailable, the DC takes over services from the headquarters site to ensure the
normal running of the entire network. A branch site can use a single gateway or
dual gateways and can directly communicate with the headquarters site and the
DC, but not the other branch sites. Some branches can only use the enterprise's
legacy network (the MPLS link is used on the WAN side), and cannot be
reconstructed into SD-WAN sites.
Solution Design
tasks:
site mode, and the branch sites (Site2 and Site3) use the edge site mode. The
legacy site, Site1, is not managed by the iMaster NCE-WAN. Therefore, it does
not need to be created on the iMaster NCE-WAN.
2. Hub1, Hub2, and Site3 have high reliability requirements, where two CPEs are
used as gateways, and each CPE connects to both the Internet and MPLS
network. Site2 uses a single CPE as the gateway and connects to the MPLS
network through two WAN links. Site4 uses two CPEs as gateways, and each
CPE connects to the Internet network. The Internet link at Site3 obtains a
dynamic IP address through PPPoE whereas the other link is configured with a
static IP address.
3. The NTP clock synchronization mechanism is used to synchronize clocks on
devices. The edge-RR site has NTP clock synchronization configured to
synchronize its clock with that of the NTP server, whereas edge sites
synchronize their clocks with that of the edge-RR site.
4. To enable direct communication between a branch site and the
headquarters/DC and prevent direct communication between branches, the
overlay network uses the hub-spoke networking. Hub1 and Hub2 are the
active and standby hub sites, respectively.

SD-WAN
Data Plan

Item Value
Tenant Name TenantA
Password PassA@1234

Item Value
Transport MPLS Internet MPLS2 Internet2

Network
Routing MPLS Internet MPLS Internet

Domain
IPSec ON ON ON ON
Encryption
Encryption AES256
algorithm
Life time 1440
URL 123abc
encryption
key
Token validity 7
period (day)
Password of test@123
User Admin
AS number 65001
Community 100
pool
IP pool 10.200.0.0/16

SD-WAN

21021156411234500021 Hub1_1 AR6280
21021156411234500022 Hub1_2 AR6280
21021156411234500023 Hub2_1 AR6280
21021156411234500024 Hub2_2 AR6280
2102351UGG10J7000021 Site2_1 AR651U-A4
2102351UGG10J7000022 Site3_1 AR651U-A4
2102351UGG10J7000023 Site3_2 AR651U-A4
2102351UGG10J7000024 Site4_1 AR651U-A4
2102351UGG10J7000025 Site4_2 AR651U-A4

Item Value
Template Hub Branch1 Branch2 Branch3

name
Description - - - -
Gateway Dual Gateways Single Dual Dual

Gateway Gateways Gateways
WA Name MPL In M Inter MPL MPL MPL Inter Int Inte

N S1 te PL net2 S1 S2 S1 net1 ern rne
Link rn S2 et1 t2
et
1
Devic Devi D De Devi Devi Devi Devi Devi De Dev

e ce1 ev vic ce2 ce1 ce1 ce1 ce2 vic ice2
ic e2 e1
e1
Interf GE3/ G GE GE3/ GE0/ GE0/ GE0/ GE0/ GE GE

ace 0/0 E3 3/ 0/1 0/3 0/4 0/3 0/3 0/0 0/0
/0 0/ /3 /3
/1 0
Overl ON O O ON ON ON ON ON ON ON
ay N N
tunne
l

SD-WAN
Item Value
Trans MPL In M Inter MPL MPL MPL Inter Int Inte

port S te PL net S S S net ern rne
Netw rn S et t
ork et
Role Activ Ac Ac Activ Activ Activ Activ Activ Act Acti

e tiv tiv e e e e e ive ve
e e
Inte Reuse OFF - - OFF OFF

r- LAN-
CPE side
Link L2
interf
ace
VLAN 4000 - 4008 - - 4000 - 4008 4000 -

ID 4008
Devic GE3/0/2 GE3/0/3 - - GE0/ GE0/ GE GE

e1 0/1 0/2 0/0 0/0
Interf /1 /2
ace
Devic GE3/0/2 GE3/0/3 - - GE0/ GE0/ GE GE

e2 0/1 0/2 0/0 0/0
Interf /1 /2
ace
Table 1-14 Site design and ZTP configurations at edge-RR sites

Item Value
Site Hub1 Hub2
RR ON ON
Gateway Dual Gateways Dual Gateways
Site Hub1_1 Hub1_2 Hub2_1 Hub2_2

templat
e
Device Hub Hub
Link MPLS1 Inter MPL Internet MPLS1 Inter MP Internet2

name net1 S2 2 net1 LS2
VN underl und unde underlay underlay und und underlay_

instance ay_1 erla rlay_ _4 _1 erla erla 4
y_2 3 y_2 y_3

SD-WAN
Item Value
Interface IPoE IPoE IPoE IPoE IPoE IPoE IPo IPoE

protocol E
IP Static Stati Stati Static Static Stati Stat Static

address c c c ic
access
mode
IP 172.16. 10.1 172. 10.100.2 172.16.3. 10.1 172 10.100.4.1

address/ 1.1/30 00.1. 16.2. .1/30 1/30 00.3. . /30
Subnet 1/30 1/30 1/30 16.
mask 4.1/
30
Default 172.16. 10.1 172. 10.100.2 172.16.3. 10.1 172 10.100.4.2

gateway 1.2 00.1. 16.2. .2 2 00.3. .
2 2 2 16.
4.2
Public IP 172.16. 10.1 172. 10.100.2 172.16.3. 10.1 172 10.100.4.1

1.1 00.1. 16.2. .1 1 00.3. .
1 1 1 16.
4.1
Negotiat Auto Aut Auto Auto Auto Aut Aut Auto

ion o o o
mode
Uplink 100 100 100 100 100 100 100 100

bandwid
th
(Mbps)
Downlin 100 100 100 100 100 100 100 100

k
bandwid
th
(Mbps)
based
deploym
ent
Table 1-15 Site design and ZTP configurations at edge sites

Item Value
Site Site2 Site3 Site4
RR OFF OFF OFF

SD-WAN
Item Value
Connect Hub1, Hub2 Hub1, Hub2 Hub1, Hub2

to RR
Gatewa Single Gateway Dual Gateways Dual Gateways

y
Site Branch1 Branch2 Branch3

templat
e
Device Site2_1 Site3_1 Site3_2 Site4_1 Site4_

2
Link MPLS1 MPLS2 MPLS1 Internet1 Internet Intern

name 1 et2
VN underlay_ underlay_2 underlay_ underlay_ underla underl

instanc 1 1 2 y_1 ay_2
e
Interfac IPoE IPoE IPoE PPPoE IPoE IPoE

e
protoco
l
IP Static Static Static - Static Static

address
access
mode
IP 172.16.5.1 172.16.6.1/ 172.16.7.1 - 10.100. 10.100

address /30 30 /30 5.1/30 .6.1/30
/Subnet
mask
Default 172.16.5.2 172.16.6.2 172.16.7.2 - 10.100. 10.100

gatewa 5.2 .6.2
y
PPPoE - - - user@web - -
User .com
name
PPPoE - - - Pass1234 - -
Passwor
d
Auth - - - CHAP - -
Type
Public - - - - - -
IP

SD-WAN
Item Value
Negotia Auto Auto Auto Auto Auto Auto

tion
mode
NAT OFF OFF OFF OFF OFF OFF

STUN
Uplink 100 100 100 100 100 100

bandwi
dth
(Mbps)
Downli 100 100 100 100 100 100

nk
bandwi
dth
(Mbps)
URL- ON ON ON ON ON ON
based
deploy
ment
Table 1-16 NTP information at edge-RR sites

Item Value
Time (UTC+08:00)Beijing,Chongqing,Hong Kong,Urumqi

zone
NTP ON
authent
ication
Authent ntp123
ication
passwor
d
Authent 456789
ication
key id
NTP Manual Configuration

client
mode
Device Hub1_1 Hub1_2 Hub2_1 Hub2_2
WAN MPLS1 Interne MPLS2 Intern MPL Inte MPLS Internet2

Link t1 et2 S1 rne 2
t1

SD-WAN
Item Value
NTP 10.10.1. 10.10.1 10.10.1 10.10. 10.1 10. 10.10 10.10.1.1

Server 1 .1 .1 1.1 0.1. 10. .1.1
Address 1 1.1
Authent OFF OFF OFF OFF OFF OF OFF OFF

ication F
Item Value
Time zone (UTC+08:00)Beijing,Chongqing,Hong

Kong,Urumqi
NTP client mode Automatic Synchronization with Parent

Node
Item Value
VN VPN1
IPSec Encryption ON
Site Name Hub1, Hub2, Site2, Site3, Site4
Topology mode Hub-spoke
Hub sites Active: Hub1

Standby: Hub2
Procedure


SD-WAN


7. Click Apply.

SD-WAN

12. Click Apply.


SD-WAN

displayed.

SD-WAN
OK.
Step 5 Create two edge-RR sites and three edge sites.

5. Click OK.
● Edge-RR sites
● Edge sites

SD-WAN


– WAN link configuration for Hub1

SD-WAN

SD-WAN

SD-WAN

SD-WAN

SD-WAN

SD-WAN

SD-WAN

SD-WAN
2. Configure NTP for the edge-RR sites.

a. Click NTP.

SD-WAN
– NTP configuration for Hub1


SD-WAN

SD-WAN

SD-WAN

SD-WAN

SD-WAN

SD-WAN
4. Configure NTP for the branch sites.

c. Click Apply.

SD-WAN


1. Create a VN.

SD-WAN
d. Click Apply.

d. Click Apply.
----End
1.3.3 Multi-Area Hierarchical Networking

Related Products
AR: V300R019C00SPC300
Bank B has a large number of branches that are widely distributed and wants to
build its own SD-WAN network. The network needs to be divided into multiple
areas based on the number and locations of sites. The two DCs deployed at the
headquarters function as hub sites, which form an area together with branches in
the same province. Branches in remote provinces are categorized into different
areas by province. Branch sites in the same area cannot directly communicate with

SD-WAN
each other. Branches in remote provinces communicate with the hub sites through
a site with a high-performance gateway. Branches in different areas can
communicate with each other only through a hub site in the headquarters.
Solution Design
tasks:
1. On the bank's SD-WAN network, an RR uses the co-deployment mode. The
CPE at a tenant's edge site also function as an RR. Such a site is called an
edge-RR site. To enhance reliability, two RR sites are deployed. In this
example, Hub1 and Hub2 in the two DCs use the edge-RR site mode, and the
branch sites use the edge site mode, with CPEs at Hub1 and Hub2 being their
RRs.
2. Hub1, Hub2, and branch sites in the same province form area 1, in which the
overlay network uses the hub-spoke topology, and Hub1 and Hub2 function
as hub sites. Branch sites in area 1 can communicate with each other only
through a hub site. Hub1 and Hub2 are also border sites. Branch sites in area
1 communicate with sites in other areas through Hub1 or Hub2. The
following uses Site1 as an example. Branches in remote provinces form two
areas: area 2 and area 3. In area 2, the overlay network uses the hub-spoke
topology, and Agg1 functions as both the hub site and border site. A branch
site, for example, Site2, in area 2 communicates with sites in other areas
through Agg1. In area 3, the overlay network uses the hub-spoke topology,
and Agg2 functions as both the hub site and border site. A branch site, for
example, Site3, in area 3 communicates with sites in other areas through

SD-WAN
Agg2. The overlay network between areas also uses the hub-spoke topology.
Branch sites in different areas can communicate with each other only through
Hub1 or Hub2.
3. At Hub1, Hub2, Agg1, and Agg2, two CPEs are deployed as gateways. The two
CPEs at each of these sites connect to both the Internet and MPLS network.
Site1 uses a single CPE as the gateway and connects to the Internet through
one WAN link. Site2 uses a single CPE as the gateway and connects to both
the Internet and MPLS network. Site3 uses two CPEs as gateways, with one
connected to the Internet and the other to the MPLS network.
devices. The edge-RR sites have NTP clock synchronization configured to
synchronize their clocks with that of the NTP server, whereas edge sites
Data Plan
Item Value
Tenant Name TenantA
Password PassA@1234
Item Value
Transport MPLS1 Internet1 MPLS2 Internet2

Network

Domain
IPSec ON ON ON ON
Encryption
Encryption AES256
algorithm
Life time 1440
URL 123abc
encryption
key
Token validity 7
period (day)
User Admin

SD-WAN
Item Value
AS number 65001
Community 100
pool
IP pool 10.200.0.0/16

2102115640P0J6000041 Hub1_1 AR6300
2102115640P0J6000042 Hub1_2 AR6300
2102115640P0J6000043 Hub2_1 AR6300
2102115640P0J6000044 Hub2_2 AR6300
21021156411234500041 Agg1_1 AR6280
21021156411234500042 Agg1_2 AR6280
21021156411234500043 Agg2_1 AR6280
21021156411234500044 Agg2_2 AR6280
2102351UGG10J7000041 Site1_1 AR651U-A4
2102351UGG10J7000042 Site2_1 AR651U-A4
2102351UGG10J7000043 Site3_1 AR651U-A4
2102351UGG10J7000044 Site3_2 AR651U-A4

Item Value
Template Hub Branch Branch2 Branch3

name 1
Description - - - -
Gateway Dual Gateways Single Single Dual

Gatew Gatewa Gatewa
ay y ys

SD-WAN
Item Value
WAN Na MPL Inter MPLS2 Internet Interne M Int M Int

Link me S1 net1 2 t PL er PL er
S ne S ne
t t
Devi Devic Devi Device Device2 Device De De De De

ce e1 ce1 2 1 vic vic vic vic
e1 e1 e1 e2
Inter GE3/ GE3 GE3/0 GE3/0/1 GE0/0/ GE GE GE GE

face 0/0 /0/1 /0 3 0/ 0/ 0/ 0/
0/ 0/ 0/ 0/
3 4 3 3
Ove ON ON ON ON ON O O O O
rlay N N N N
tunn
el
Tran MPL Inter MPLS Internet Interne M Int M Int

spor S net t PL er PL er
t S ne S ne
Net t t
wor
k
Role Activ Acti Active Active Active Ac Ac Ac Ac

e ve tiv tiv tiv tiv
e e e e
Inter- Reus OFF - - - OFF

CPE e
Link LAN
-side
L2
inter
face
VLA 4000 - 4008 - - - 4000 -

N ID 4008
Devi GE3/0/2 GE3/0/3 - - - GE GE

ce1 0/ 0/
Inter 0/ 0/
face 1 2
Devi GE3/0/2 GE3/0/3 - - - G0 GE

ce2 0/ 0/
Inter 0/ 0/
face 1 2

SD-WAN
Table 1-23 Site design and ZTP configurations at edge-RR sites

Item Value
Site Hub1 Hub2
RR ON ON
Site Hub Hub

templat
e
Link MPLS1 Inter MPL Internet MPLS1 Int MP Internet2

name net1 S2 2 ern LS2
et1
VN underl und unde underlay underlay_ un und underlay_

instance ay_1 erla rlay_ _4 1 der erla 4
y_2 3 lay y_3
_2
Interface IPoE IPoE IPoE IPoE IPoE IPo IPo IPoE

protocol E E
IP Static Stati Stati Static Static Sta Stat Static

address c c tic ic
access
mode
IP 172.16. 10.1 172. 10.100.2 172.16.3.1 10. 172 10.100.4.1

address/ 1.1/30 00.1. 16.2. .1/30 /30 10 . /30
Subnet 1/30 1/30 0.3. 16.
mask 1/3 4.1/
0 30
Default 172.16. 10.1 172. 10.100.2 172.16.3.2 10. 172 10.100.4.2

gateway 1.2 00.1. 16.2. .2 10 .
2 2 0.3. 16.
2 4.2
Public IP 172.16. 10.1 172. 10.100.2 172.16.3.1 10. 172 10.100.4.1

1.1 00.1. 16.2. .1 10 .
1 1 0.3. 16.
1 4.1
Negotiat Auto Aut Auto Auto Auto Au Aut Auto

ion o to o
mode
Uplink 100 100 100 100 100 10 100 100

bandwid 0
th
(Mbps)

SD-WAN
Item Value
Downlin 100 100 100 100 100 10 100 100

k 0
bandwid
th
(Mbps)
based
deploym
ent
Table 1-24 Site design and ZTP configurations at edge sites (1)
Item Value
Site Site1 Agg1 Site2
RR OFF OFF OFF
Connect Hub1, Hub1, Hub2 Hub1, Hub2

to RR Hub2
Gateway Single Dual Gateways Single Gateway

Gatew
ay
Site Branch Hub Branch2

template 1
Device Site1_1 Agg1_1 Agg1_2 Site2_1
Link Interne MPLS1 Inter MPLS Internet2 MPLS Interne

name t net1 2 t
VN underl underlay_ unde under underlay_ underlay underl

instance ay_1 1 rlay_ lay_3 4 _1 ay_2
2
Interface IPoE IPoE IPoE IPoE IPoE IPoE IPoE

protocol
IP Static Static Stati Static Static Static Static

address c
access
mode
IP 10.100. 172.16.6.1 10.1 172.1 10.100.7.1 172.16.8 10.100.

address/ 5.1/30 /30 00.6. 6.7.1/ /30 .1/30 8.1/30
Subnet 1/30 30
mask

SD-WAN
Item Value
Default 10.100. 172.16.6.2 10.1 172.1 10.100.7.2 172.16.8 10.100.

gateway 5.2 00.6. 6.7.2 .2 8.2
2
Negotiat Auto Auto Auto Auto Auto Auto Auto

ion
mode
NAT OFF OFF OFF OFF OFF OFF OFF

STUN
Uplink 100 100 100 100 100 100 100

bandwid
th
(Mbps)
Downlin 100 100 100 100 100 100 100

k
bandwid
th
(Mbps)
URL- ON ON ON ON ON ON ON
based
deploym
ent
Table 1-25 Site design and ZTP configurations at edge sites (2)
Item Value
Site Agg2 Site3
RR OFF OFF
Connect Hub1, Hub2 Hub1, Hub2

to RR
Site Hub Branch3

template
Device Agg2_1 Agg2_2 Site Site3_2

3_1
Link MPLS1 Internet MPLS2 Internet MP Internet

name 1 2 LS
VN underlay_1 underlay underlay underla und underlay_2

instance _2 _3 y_4 erla
y_1

SD-WAN
Item Value
Interface IPoE IPoE IPoE IPoE IPo IPoE

protocol E
IP address Static Static Static Static Stat Static

access ic
mode
IP 172.16.9.1/30 10.100.9 172.16.10 10.100. 172 10.100.11.1/

address/ .1/30 .1/30 10.1/30 . 30
Subnet 16.
mask 11.
1/3
0
Default 172.16.9.2 10.100.9 172.16.10 10.100. 172 10.100.11.2

gateway .2 .2 10.2 .
16.
11.
2
Negotiati Auto Auto Auto Auto Aut Auto

on mode o
NAT OFF OFF OFF OFF OF OFF

STUN F
Uplink 100 100 100 100 100 100

bandwidt
h (Mbps)
Downlink 100 100 100 100 100 100

bandwidt
h (Mbps)
based
deployme
nt
Table 1-26 NTP information at edge-RR sites

Item Value
NTP ON
authentication
password

SD-WAN
Item Value
Authentication 456789
key id
WAN Link MPLS Inter MPL Inter MP Inte MPLS Internet2

1 net1 S2 net2 LS1 rne 2
t1
NTP Server 10.10 10.10 10.1 10.1 10. 10. 10.10. 10.10.1.1
Address .1.1 .1.1 0.1.1 0.1.1 10. 10. 1.1
1.1 1.1
Authentication OFF OFF OFF OFF OF OF OFF OFF

F F

Item Value

Item Value
VN VPN1
IPSec Encryption ON
Site Name Hub1, Hub2, Agg1, Agg2, Site1, Site2, Site3
Area Area Area1 Area2 Area3

Topology
Sites Hub1, Hub2, Agg1, Site2 Agg2, Site3
Site1
Topology Hub-spoke Hub-spoke Hub-spoke

mode
Hub sites Active: Active: Agg1 Active: Agg2

Hub1
Standby:
Hub2

SD-WAN
Item Value
Border Hub1, Hub2 Agg1 Agg2

sites
Area Topology Hub-spoke

Interconne mode
ction
Hub sites Active: Hub1
Standby: Hub2
Procedure



SD-WAN
7. Click Apply.

SD-WAN
12. Click Apply.


SD-WAN

1. Choose Design > Device Management. The Device Management page is
displayed.

OK.
Step 5 Create edge-RR sites, and edge sites.

5. Click Apply.
● Edge-RR sites

SD-WAN
● Edge site in area 1

SD-WAN

1. Configure WAN links for edge-RR sites.


SD-WAN

SD-WAN

SD-WAN

SD-WAN

SD-WAN

SD-WAN

SD-WAN

SD-WAN
2. Configure NTP for edge-RR sites.

a. Click NTP.

SD-WAN

Perform the same operations as those for the hub sites to configure WAN link
parameters for the branch sites and click Apply.

SD-WAN
– WAN link configuration for Agg1

SD-WAN

SD-WAN

SD-WAN

SD-WAN

SD-WAN

SD-WAN
– WAN link configuration for Agg2

SD-WAN

SD-WAN

SD-WAN

SD-WAN

SD-WAN

SD-WAN
4. Configure ZTP for the edge sites.

c. Click Apply.

SD-WAN


1. Create a VN.

SD-WAN
d. Click Apply.

c. On the Predefine Topology page, click Advanced Mode.
d. On the Area Topology tab page, click Create and create Area1, Area2
and Area3.
▪ Area1 configuration

SD-WAN
e. On the Area Interconnection tab page, configure the inter-area topology

model.
----End
1.3.4 Multi-Tenant Networking

Related Products
AR: V300R019C10SPC300
Bank B with a large number of branches wants to set up its own SD-WAN
network. Hub sites are deployed in its DC. Branches and their sub-branches
directly communicate with the headquarters through a flattened network. Branch
sites cannot directly communicate with each other. To facilitate area-based
management and deployment of subsequent branches, bank B wants to create
multiple tenants based on areas. Each tenant uses an independent network
topology and independent hub site at the headquarters. Sites under different
tenants communicate with each other through the core network on the LAN side
of the hub sites at the headquarters.

SD-WAN
Solution Design
tasks:
1. On the bank's SD-WAN network, an RR uses the co-deployment mode. The

CPE at a tenant's edge site also function as an RR. Such a site is called an
edge-RR site. To enhance reliability, two RR sites are deployed. In this
example, Hub1 and Hub2 of tenant A use the edge-RR site mode, and the
branch sites use the edge site mode, with CPEs at Hub1 and Hub2 being their
RRs. Tenant B uses CPEs of Hub3 and Hub4 as RRs.
2. The overlay network of tenant A uses the hub-spoke topology. Hub1 and
Hub2 are hub sites. Branch sites can communicate with each other only
through a hub site. The overlay network of tenant B uses the hub-spoke
topology. Hub3 and Hub4 are hub sites. Branch sites can communicate with
each other only through a hub site.
3. Sites of different tenants cannot directly communicate with each other.
Instead, they need to communicate with each other through the core switch
on the LAN side of a hub site. The LAN side of the hub site uses OSPF to
interconnect with the core switch to advertise and receive routes. To divert
service traffic between sites of different tenants to the LAN side of the hub
site for forwarding, configure a static route where the subnet mask contains
the LAN-side network segment of the tenant site on the core switch. This
static route is advertised to the hub site through OSPF on the core switch to
guide cross-tenant traffic forwarding.
4. Hub1, Hub2, Hub3, and Hub4 use two CPEs as gateways, each of which
connects to both the Internet and MPLS network. In this example, Site1 and
Site2 are branch sites, where a single CPE is used as the gateway and
connects to both the Internet and MPLS network.

SD-WAN

devices. The edge-RR sites have NTP clock synchronization configured to
synchronize their clocks with that of the NTP server, whereas edge sites
Data Plan

Item Data of Tenant A Data of Tenant B
Tenant Name TenantA TenantB
Account [email protected] [email protected]
Password PassA@1234 PassB@1234

Transport MPLS Internet MPLS Internet

Network

Domain
IPSec ON ON ON ON
Encryption
Encryption AES256 AES256

algorithm
Life time 1440 1440
URL 123abc 123abc

encryption
key
Token 7 7
validity
period
(day)
Password test@123 test@123

of User
Admin
AS 65001 65001
number
Communit 100 100

y pool

SD-WAN
IP pool 10.200.0.0/16 10.201.0.0/16
DNS 8.8.8.8 8.8.8.8

Server IP
Table 1-31 Device information of tenant A
2102115640P0J600005 Hub1_1 AR6300

1
2102115640P0J600005 Hub1_2 AR6300

2
2102115640P0J600005 Hub2_1 AR6300

3
2102115640P0J600005 Hub2_2 AR6300

4
2102351UGG10J70000 Site1_1 AR651U-A4

51
Table 1-32 Device information of tenant B
2102115640P0J600005 Hub3_1 AR6300

5
2102115640P0J600005 Hub3_2 AR6300

6
2102115640P0J600005 Hub4_1 AR6300

7
2102115640P0J600005 Hub4_2 AR6300

8
2102351UGG10J70000 Site2_1 AR651U-A4

52
Item Value
Template name Hub Branch1

SD-WAN
Item Value
Description - -
Gateway Dual Gateways Single

Gateway
WAN Link Name MPLS1 Intern MPLS Internet2 MPLS Intern

et1 2 et
Device Device Devic Device Device2 Devic Device

1 e1 2 e1 1
Interface GE3/0/ GE3/0 GE3/0 GE3/0/1 GE0/0 GE0/0/

0 /1 /0 /3 4
Overlay MPLS Intern MPLS Internet MPLS Intern

tunnel et et
Transport ON ON ON ON ON ON
Network
Role Active Active Active Active Active Active
Inter-CPE Reuse OFF - -

Link LAN-side
L2
interface
VLAN ID 4000 - 4008 - -
Device1 GE3/0/2 GE3/0/3 - -

Interface
Device2 GE3/0/2 GE3/0/3 - -

Interface
Table 1-34 Site design and ZTP configuration of tenant A

Item Value
Site Hub1 Hub2 Site1
RR ON ON OFF
Conne - - Hub1,
ct to Hub2
RR
Gatew Dual Gateways Dual Gateways Single

ay Gateway
Site Hub Hub Branch2

templa
te

SD-WAN
Item Value
Device Hub1_1 Hub1_2 Hub2_1 Hub2_2 Site2_1
Link MPLS Int MP Interne MPLS Inter MPLS Inter MP Inte

name 1 ern LS2 t2 1 net1 2 net2 LS rne
et1 t
VN under un und underl unde unde under unde un und

instanc lay_1 der erla ay_4 rlay_ rlay_ lay_3 rlay_ der erla
e lay y_3 1 2 4 lay y_2
_2 _1
Interfa IPoE IPo IPo IPoE IPoE IPoE IPoE IPoE IPo IPo
ce E E E E
protoc
ol
IP Static Sta Stat Static Static Stati Static Stati Sta Stat
addres tic ic c c tic ic
s
access
mode
IP 172.1 10. 172 10.100. 172.1 10.1 172.1 10.1 17 10.

addres 6.1.1/ 100 . 2.1/30 6.3.1/ 00.3. 6.4.1/ 00.4. 2.1 100
s/ 30 . 16. 30 1/30 30 1/30 6.5. .
Subnet 1.1 2.1/ 1/3 5.1/
mask /30 30 0 30
Defaul 172.1 10. 172 10.100. 172.1 10.1 172.1 10.1 17 10.
t 6.1.2 100 . 2.2 6.3.2 00.3. 6.4.2 00.4. 2.1 100
gatew .1.2 16. 2 2 6.5. .5.2
ay 2.2 2
Public 172.1 10. 172 10.100. 172.1 10.1 172.1 10.1 - -

IP 6.1.1 100 . 2.1 6.3.1 00.3. 6.4.1 00.4.
.1.1 16. 1 1
2.1
Negoti Auto Aut Aut Auto Auto Auto Auto Auto Aut Aut
ation o o o o
mode
NAT - - - - - - - - OF OF
STUN F F
Uplink 100 100 100 100 100 100 100 100 10 100
bandw 0
idth
(Mbps
)

SD-WAN
Item Value
Downli 100 100 100 100 100 100 100 100 10 100
nk 0
bandw
idth
(Mbps
)
URL- ON ON ON ON ON ON ON ON ON ON
based
deploy
ment
Table 1-35 Site design and ZTP configuration of tenant B
Item Value
Site Hub3 Hub4 Site2
RR ON ON OFF
Conne - - Hub3,
ct to Hub4
RR
Gatew Dual Gateways Dual Gateways Single

ay Gateway
Site Hub Hub Branch1

templa
te
Device Hub3_1 Hub3_2 Hub2_1 Hub2_2 Site2_1
Link MPLS Int MP Interne MPLS Inter MPLS Inter MP Inte

name 1 ern LS2 t2 1 net1 2 net2 LS rne
et1 t
VN under un und underl unde unde under unde un und

instanc lay_1 der erla ay_4 rlay_ rlay_ lay_3 rlay_ der erla
e lay y_3 1 2 4 lay y_2
_2 _1
Interfa IPoE IPo IPo IPoE IPoE IPoE IPoE IPoE IPo IPo
ce E E E E
protoc
ol
IP Static Sta Stat Static Static Stati Static Stati Sta Stat
addres tic ic c c tic ic
s
access
mode

SD-WAN
Item Value
IP 172.1 10. 172 10.100. 172.1 10.1 172.1 10.1 17 10.

addres 6.6.1/ 100 . 7.1/30 6.8.1/ 00.8. 6.9.1/ 00.9. 2.1 100
s/ 30 . 16. 30 1/30 30 1/30 6.1 .
Subnet 6.1 7.1/ 0.1 10.
mask /30 30 /30 1/3
0
Defaul 172.1 10. 172 10.100. 172.1 10.1 172.1 10.1 17 10.
t 6.6.2 100 . 7.2 6.8.2 00.8. 6.9.2 00.9. 2.1 100
gatew .6.2 16. 2 2 6.1 .
ay 7.2 0.2 10.
2
Public 172.1 10. 172 10.100. 172.1 10.1 172.1 10.1 - -

IP 6.6.1 100 . 7.1 6.8.1 00.8. 6.9.1 00.9.
.6.1 16. 1 1
7.1
Negoti Auto Aut Aut Auto Auto Auto Auto Auto Aut Aut
ation o o o o
mode
NAT - - - - - - - - OF OF
STUN F F
Uplink 100 100 100 100 100 100 100 100 10 100
bandw 0
idth
(Mbps
)
Downli 100 100 100 100 100 100 100 100 10 100
nk 0
bandw
idth
(Mbps
)
URL- ON ON ON ON ON ON ON ON ON ON
based
deploy
ment
Table 1-36 NTP information about the edge-RR site of tenant A

Item Value

SD-WAN
Item Value
password
WAN Link MP Inte MPL Inte MPLS Int MP Internet2

LS1 rnet S2 rnet 1 ern LS2
1 2 et1
NTP Server Address 10. 10.1 10.1 10.1 10.10 10. 10. 10.10.1.1
10. 0.1. 0.1. 0.1. .1.1 10. 10.
1.1 1 1 1 1.1 1.1
Authentication OF OFF OFF OFF OFF OF OF OFF

F F F
Table 1-37 NTP information about the edge-RR site of tenant B

Item Value
password
WAN Link MP Inte MPL Inte MPLS Int MP Internet2

LS1 rnet S2 rnet 1 ern LS2
1 2 et1
NTP Server Address 10. 10.1 10.1 10.1 10.10 10. 10. 10.10.1.1
10. 0.1. 0.1. 0.1. .1.1 10. 10.
1.1 1 1 1 1.1 1.1
Authentication OF OFF OFF OFF OFF OF OF OFF

F F F

SD-WAN
Table 1-38 NTP information about edge sites of all tenants

Item Value

VN VPN1 VPN2
Site Name Hub1, Hub2, Site1 Hub3, Hub4, Site2
Topology Topology mode Hub-spoke Hub-spoke
Hub sites Active: Hub1 Active: Hub3

Standby: Hub2 Standby: Hub4
Table 1-40 LAN-side OSPF route information

Item Value
Device Hub1 Hub Hub2 Hub Hub3 Hu Hu Hu

_1 1_2 _1 2_2 _1 b3_ b4_ b4_
2 1 2
Process ID 1001 1001 1001 1001 1001 100 10 100

1 01 1
Common Default ON ON ON ON ON ON ON ON
Parameter route
advertise
ment
Default 1 1 1 1 1 1 1 1
route cost
Internal 10 10 10 10 10 10 10 10
preferenc
e
ASE 150 150 150 150 150 150 15 150

preferenc 0
e

SD-WAN
Item Value
Interface Area ID 0 0 0 0 0 0 0 0
Parameter
Interface Vlani Vlani Vlanif Vlan Vlani Vla Vla Vla
Name f10 f10 10 if10 f10 nif1 nif nif1
0 10 0
Authentic None Non None Non None No No No

ation e e ne ne ne
Mode
Hello 10 10 10 10 10 10 10 10
Timer
DR 0 0 0 0 0 0 0 0
Priority
Route Protocol - - - - - - - -
Redistribut
e Process ID - - - - - - - -
Cost - - - - - - - -
Router Export OFF OFF OFF OFF OFF OFF OF OF

Filter filter F F
Import OFF OFF OFF OFF OFF OFF OF OF

filter F F
Procedure
Step 1 Log in to iMaster NCE-WAN as an MSP administrator and create two tenants.
1. Choose Tenant Management > Dashboard.
2. In Tenants List, click Create, enter tenant and administrator information, and
set the password to the initial password.
– Creating tenant A

SD-WAN

SD-WAN
3. Create tenant B in the same way. After both tenants are created, you can view
the created tenant administrator accounts on the Tenants List page.
Step 2 Log in to iMaster NCE-WAN as tenant A and tenant B. Change the password as
prompted upon the first login.
● Changing the password of tenant A

SD-WAN
● Changing the password of tenant B


SD-WAN

7. Click Apply.

SD-WAN

– Address pool of tenant A
– Address pool of tenant B
12. Click Apply.


SD-WAN


displayed.
OK.
● Device information of tenant A
● Device information of tenant B

SD-WAN
Step 6 Create edge-RR sites and edge sites.

5. Click OK.
– Sites of tenant A
– Sites of tenant B

SD-WAN

1. Configure WAN links for edge-RR sites.

– WAN link configuration for Hub1 of tenant A

SD-WAN

SD-WAN

SD-WAN

SD-WAN
– WAN link configuration for Hub2 of tenant A

SD-WAN

SD-WAN

SD-WAN

SD-WAN
– WAN link configuration for Hub3 of tenant B

SD-WAN

SD-WAN

SD-WAN

SD-WAN
– WAN link configuration for Hub4 of tenant B

SD-WAN

SD-WAN

SD-WAN

SD-WAN
2. Configure NTP for edge-RR sites.

a. Click NTP.

SD-WAN
– NTP configuration for Hub1 of tenant A
– NTP configuration for Hub2 of tenant A
– NTP configuration for Hub3 of tenant B
– NTP configuration for Hub4 of tenant B

– WAN link configuration for Site1 of tenant A

SD-WAN

SD-WAN
– WAN link configuration for Site2 of tenant B

SD-WAN

SD-WAN

b. In the site list on the left, click the created site, and click NTP.
c. On the NTP page that is displayed, select a time zone.

SD-WAN
d. Set NTP client mode to Automatic Synchronization with Parent Node.

e. Click Apply.

● Connecting the edge site of tenant A to the RR
● Connecting the edge site of tenant B to the RR

SD-WAN

1. Create a VN.
d. Click Apply.
– Creating a virtual network for tenant A
– Creating a virtual network for tenant B

SD-WAN

d. Click Apply.
– Overlay topology of tenant A
– Overlay topology of tenant B
Step 10 Configure OSPF routes on the LAN side of Hub sites.

1. Choose Provision > Overlay Network > Overlay Service.
2. On the Overlay Service page, select the VN to be configured, expand the site
template list on the left, click Hub1, and click the LAN Route tab in the right
pane.
3. Click Click Here to Add Routing Protocol or , and select OSPF.

4. On the OSPF page, click Create to configure OSPF routes and click Apply on
the main page.

SD-WAN
5. Configure OSPF routes for Hub1. Configure LAN-side OSPF routes for Hub2,
Hub3, and Hub4 in a similar manner.
– OSPF configurations for Hub1_1
– OSPF configurations for Hub1_2

SD-WAN
Step 11 Configure summarized routes on the core switch on the LAN side of a hub site.
The following uses the configuration on an AR router that functions as a core
switch as an example to describe how to configure the blackhole route function
using commands.
#
ospf 1001
area 0.0.0.0
network 10.100.0.0 0.0.255.255
network 172.16.0.0 0.0.255.255
#
ip route-static 10.100.0.0 255.255.0.0 NULL0
ip route-static 172.16.0.0 255.255.0.0 NULL0
#
return
----End
1.3.5 Building an SD-WAN Network with 5G Links as Backup

Links
Related Products

SD-WAN

AR: V300R019C11SPC200
Enterprise A has multiple branches connected to the headquarters through private
lines. It needs to build an SD-WAN network to replace its legacy network. Two
CPEs are deployed as gateways at the headquarters site and each CPE connects to
the Internet through one link. One CPE is deployed at each branch site and uses
Internet links instead of private lines. The CPE connects to the Internet through an
Ethernet link, and uses a 5G link as the backup of the Ethernet link for connecting
to the Internet through an ISP's 5G network. Branch sites can communicate with
the headquarters site, but cannot directly communicate with other branch sites.
Instead, they can communicate with each other through the headquarters site.
Solution Design
tasks:

SD-WAN
site mode, and the branch site (Site1) uses the edge site mode.
2. Hub1 functions as the headquarters site and poses high reliability
requirements. At Hub1, two CPEs are deployed as gateways, and each CPE
connects to the Internet. At Site1, one CPE is deployed as the gateway and
connects to the Internet through an Ethernet WAN link and a 5G link. The 5G
link functions as the backup of the Ethernet WAN link.
3. There are two solutions for setting a 5G link as a backup link.
– Set the 5G link to the standby state. In this way, the 5G link is used as the
best-effort link upon a fault of the Ethernet link and does not carry
services in normal cases.
– Set the 5G link to the active state, and set its priority lower than for the
Ethernet link in the intelligent traffic steering policy.
In this example, the later solution is adopted, and an intelligent traffic
steering policy is configured to enable the 5G link to function as the backup
of the Ethernet WAN link. In this way, when the Ethernet WAN link is faulty,
services can be switched to the 5G link. After the Ethernet WAN link recovers,
services are automatically switched back to the Ethernet WAN link.
5. To enable direct communication between a branch site and the headquarters
and prevent direct communication between branches, the overlay network
uses the hub-spoke networking.
Data Plan
Item Value
Tenant Name TenantA
Password PassA@1234
Item Value
Transport Network Internet Internet1
Routing Domain Internet Internet

SD-WAN
Item Value
Life time 1440
Password of User Admin test@123
AS number 65001
Community pool 100
IP pool 10.200.0.0/16

Item Value
Template name Hub Branch1
Gateway Dual Gateways Single Gateway
WAN Link Name Internet1 Internet2 Eth_Link 5G_Link
Device Device1 Device2 Device1 Device1
Interface GE3/0/0 GE3/0/0 GE0/0/9 LTE1/0/0
Overlay ON ON ON ON
tunnel
Transport Internet Internet1 Internet Internet1

Network
Role Active Active Active Active
Inter-CPE Reuse OFF - -

Link LAN-side
L2
interface
VLAN ID 4000 - 4008 - -
Device1 GE3/0/2 GE3/0/3 - -

Interface
Device2 GE3/0/2 GE3/0/3 - -

Interface

SD-WAN

2102115640P0J6000031 Hub1_1 AR6300
2102115640P0J6000032 Hub1_2 AR6300
6R02352CQW123000003 Site1_1 AR6120

1

Item Value
Site Hub1 Site1
RR ON OFF
Connect to - Hub1
RR
Site Hub Branch1

template
Device Hub1_1 Hub1_2 Site1_1
Link name Internet1 Internet2 Eth_Link 5G_Link
5G - - - ON
VN instance underlay_1 underlay_ underlay_1 underlay_2

2
Overlay ON ON ON ON
tunnel
Interface IPoE IPoE IPoE -

protocol
IP address Static Static Static -

access
mode
IP address/ 10.100.1.1/30 10.100.2.1 10.100.3.1/30 -

Subnet /30
mask
Default 10.100.1.2 10.100.2.2 10.100.3.2 -

gateway
APN - - - cmnet
User name - - - -

SD-WAN
Item Value
Password - - - -
Auth type - - - CHAP
Public IP 10.100.1.1 10.100.2.1 - -
NAT - - ON ON
traversal
Uplink 100 100 100 50

bandwidth
(Mbps)
Downlink 100 100 100 100

bandwidth
(Mbps)
URL-based ON ON ON ON
deployment

Item Value
password
WAN Link Internet1 Internet2
NTP Server Address 10.10.1.1 10.10.1.1
Authentication OFF OFF

Item Value

SD-WAN
Item Value
VN VPN1
IPSec Encryption ON
Site Name Hub1, Site1
Topology mode Hub-spoke
Redirect sites Hub1
Table 1-49 Traffic classifier template information
Item Value
Traffic classifier name test_traffic_any
Operator And
L3 ACL ● Priority: 10
● Protocol: IP
Table 1-50 Intelligent traffic steering information about the overlay network
Item Value
Policy name test_5G_standby
Traffic Classifier Template test_traffic_any
Policy Priority 10
Switchover Delay (ms) 999

Condition
Jitter (ms) 500
Packet loss rate 500

(‰)
Transport Network Primary Transport ● Transport Network: Internet;

Priority Network Priority: 1
● Transport Network: Internet1;
Priority: 2
Secondary -
Transport Network
Advanced settings Inter-TN Policy Prefer
Action when Optimal link

conditions not met

SD-WAN
Item Value
Switchover mode Pre-emptive
Site Site1
Procedure
3. Retain the system default Internet for the routing domain. No additional
configuration is required.
4. Retain the system defaults Internet and Internet1 for the transport networks.
No additional configuration is required.


SD-WAN
8. Click OK.

SD-WAN
13. Click OK.

displayed.

SD-WAN

OK.

4. Under Add Device, select the devices.
5. Click OK.
● Edge-RR site
● Edge site

SD-WAN

b. In the site list on the left, click the created site. Click Select template and
choose the site template, and the WAN Link page displays link
information.

e. Click OK to complete the WAN link configuration.

SD-WAN

SD-WAN

SD-WAN
a. Click NTP.
information and click OK to complete the NTP configuration.

link parameters for the edge sites and click OK.

SD-WAN

SD-WAN

SD-WAN

c. Click OK.


SD-WAN

1. Create a VN.
d. Click OK.

SD-WAN

d. Click OK.
Step 9 Configure a traffic classifier template.

1. Choose Policy > Traffic Policy.

SD-WAN
2. Click Traffic Classifier Template. Click Create to create a traffic classifier

template.
3. Configure a traffic classification rule.
Step 10 Configure intelligent traffic steering policies for the overlay networks.
1. Choose Policy > Traffic Policy > Overlay.
2. On the Overlay page, select a VN and click Intelligent Traffic Steering. On
the Intelligent Traffic Steering tab page, click Create and configure
intelligent traffic steering policies.

SD-WAN
3. On the Intelligent Traffic Steering tab page, click in the Operation

column of the policy. In the Attach Sites dialog box that is displayed, select a
site to be bound to the policy. Click and then click OK.

SD-WAN
4. Select the policy to be submitted, click Commit, and select Commit Selected.
5. In the Commit dialog box that is displayed, set Effective time to
Immediately and click OK.
----End
1.3.6 Building a Hierarchical SD-WAN Network Using Multiple

Sub Interfaces for Interconnection
Related Products
AR: V300R019C11SPC200
Bank B needs to build its own SD-WAN network. The bank network is divided into
three layers: branch, sub-branch, and micro-branch. Two data centers (DCs) are
deployed at branches and work in active/standby mode to provide services
externally. The WANs are Layer 2 MSTP private line networks provided by three
ISPs. iMaster NCE-WAN is deployed in DC1 and connects to the WANs through a
traditional router. One hub site is deployed in each DC, and two SD-WAN CPEs are
deployed at each hub site. Each CPE connects to the three ISP networks through
three links. Two CPEs are deployed at a sub-branch, and establish a total of six
links. Three uplinks are connected to the three ISP networks for interconnection
with the DCs, while three downlinks are connected to the three ISP networks for
interconnection with micro-branches.

SD-WAN
Solution Design
tasks:
1. On an SD-WAN network, an RR uses the co-deployment mode. The CPE at a
tenant's edge site also functions as an RR. Such a site is called an edge-RR
site. In this example, to improve reliability, Hub1 and Hub2 where the two
DCs reside are deployed as edge-RR sites, and other branch sites are deployed
as edge sites and use Hub1 and Hub2 as RRs.
2. Sub-branches can directly communicate with the DCs, while micro-branches
can communicate with the DCs through sub-branches. Therefore, the
hierarchical networking is used. As shown in Figure 1-7, Hub1 and Hub2 are
branches, Agg1 is a sub-branch, and Site1 is a micro-branch. Hub1 and Hub2
(hub sites) form the default area, which uses the hub-spoke overlay topology.
Agg1 and micro-branches form Area1, which also uses the hub-spoke overlay
topology. Agg1 functions as both the hub site and border site in Area1. Site1
communicates with Hub1 and iMaster NCE-WAN deployed in the DCs
through Agg1. The hub-spoke overlay topology is used between the areas.
Hub1 and Hub2 function as hub sites, and Agg1 communicates with other
sub-branch sites through the hub sites.
3. Hub1 and Hub2 each use two CPEs as gateways. Each CPE connects to ISP1,
ISP2, and ISP3 through three WAN links. Site1 uses two CPEs as gateways:
CPE1 connected to ISP1 and CPE2 connected to ISP2 and ISP3. Agg1 uses two
CPEs as gateways, and establish a total of six links. Three uplinks are
connected to the three ISP networks for interconnection with the DCs, while

SD-WAN
three downlinks are connected to the three ISP networks for interconnection
with micro-branches.
4. Bank B has a large number of micro-branches, each of which connects to
Agg1 through an ISP private line. Therefore, Ethernet sub-interfaces are
configured on CPEs at Agg1 to provide a large number of WAN links. Agg1
needs to provide uplinks and downlinks for communication between micro-
branch sites and hub sites through overlay tunnels and between micro-branch
sites with iMaster NCE-WAN in the DCs through the underlay network. To
meet these communication requirements, loopback interfaces are configured
on CPEs at Agg1 for establishing overlay tunnels. Physical interfaces are used
to forward underlay traffic and cannot be enabled with the overlay tunneling
function. Assuming that CPE1 at Agg1 needs to communicate with Site1
through ISP1, the configuration roadmap is as follows:
a. Configure a WAN link on the loopback interface of CPE1, and configure
VN instance Underlay_1 for the WAN link.
b. On CPE1, configure a WAN uplink on the physical interface GE1 and a
WAN uplink on the sub-interface GE2.1031 for connecting to the MSTP
network (ISP1). Disable the overlay tunneling function on GE1 and
GE2.1031. Configure VN instance Underlay_1 for these WAN links.
c. Configure underlay WAN routes to each site on CPE1 to implement
communication with CPEs at these sites. Because ISP1 is a Layer 2 MSTP
network, the underlay WAN routes can be either static or OSPF routes.
Data Plan

Item Value
Tenant Name TenantA
Password PassA@1234

Item Value
Transport ISP1 ISP2 ISP3

Network
Routing ISP1 ISP2 ISP3

Domain

SD-WAN
Item Value
IPSec ON ON ON
Encryption
Encryption AES256
algorithm
Life time 1440
URL encryption 123abc

key
Token validity 7
period (day)
User Admin
AS number 65001
Community 100
pool
IP pool 10.200.0.0/16
2102115640P0J6000061 Hub1_1 AR6300
2102115640P0J6000062 Hub1_2 AR6300
2102115640P0J6000063 Hub2_1 AR6300
2102115640P0J6000064 Hub2_2 AR6300
2102115640P0J6000065 Agg1_1 AR6300
2102115640P0J6000066 Agg1_2 AR6300
6R02352CQW1230000061 Site1_1 AR6120
6R02352CQW1230000062 Site1_2 AR6120
Table 1-54 Site template (1)
Item Value
Template Hub
name

SD-WAN
Item Value
Gateway Dual Gateways
WAN Na ISP1_1 ISP2_ ISP3_1 ISP1_2 ISP2_ ISP3_2

Link me 1 2
Devi Device1 Device2

ce
Inter GE0/0/1 GE0/0 GE0/0/1 GE0/0/1 GE0/0 GE0/0/1

face /1 /1
Sub ON ON ON ON ON ON
Inter
face
Sub 1011 1012 1013 1021 1022 1023

Inter
face
Inde
x
Ove ON ON ON ON ON ON
rlay
Tun
nel
Tran ISP1 ISP2 ISP3 ISP1 ISP2 ISP3

spor
t
Net
wor
k
Inter- Reus OFF

CPE e
Link LAN
-side
L2
inter
face
VLA 4000 - 4008

N ID
Devi GE0/0/4 GE0/0/5

ce1
Inter
face

SD-WAN
Item Value

ce2
Inter
face

Item Value
Template Agg
name
WA Nam ISP1_ ISP1_ ISP1_ ISP ISP2 ISP2_ ISP3 ISP3_ ISP3_L
N e 1 2 Lo 2_1 _2 Lo _1 2 o
Link
Devi Device1 Device2
ce
Inter GE0/ GE0/ LoopB GE0 GE0 Loop GE0 GE0/ LoopB
face 0/1 0/2 ack90 /0/ /0/2 Back /0/8 0/9 ack90
1 1 902 3
Sub OFF ON - OFF ON - OFF ON -

Inter
face
Sub - 1031 - - 103 - - 1033 -

Inter 2
face
Inde
x
Over OFF OFF ON OFF OFF ON OFF OFF ON

lay
Tunn
el
Tran ISP1 ISP1 ISP1 ISP ISP2 ISP2 ISP3 ISP3 ISP3
spor 2
t
Net
work
Role Activ Activ Active Acti Acti Activ Acti Activ Active
e e ve ve e ve e

SD-WAN
Item Value
Inte Reus OFF

r- e
CPE LAN
Link -side
L2
inter
face
VLA 4000 - 4008

N ID

ce1
Inter
face

ce2
Inter
face

Item Value
Template name Branch
WAN Link Name ISP1_1 ISP2_1 ISP3_1
Device Device1 Device2
Interface GE0/0/1 GE0/0/1 GE0/0/2
Overlay ON ON ON
Tunnel
Transport ISP1 ISP2 ISP3

Network
Role Active Active Active
Inter-CPE Reuse LAN- OFF

Link side L2
interface
VLAN ID 4000 - 4008
Device1 GE0/0/4 GE0/0/5

Interface

SD-WAN
Item Value
Device2 GE0/0/4 GE0/0/5

Interface
Table 1-57 Site design and ZTP configurations (1)

Item Value
Site Hub1 Hub2
RR ON ON
Gate Dual Gateways Dual Gateways

way
Site Hub Hub

temp
late
Devi Hub1_1 Hub1_2 Hub2_1 Hub2_2

ce
Link ISP ISP ISP3_ ISP1 ISP2 ISP ISP1 ISP2 ISP3 ISP IS IS
nam 1_1 2_ 1 _2 _2 3_2 _1 _1 _1 1_2 P2 P
e 1 _2 3_
2
Sub- ON O ON ON ON ON ON ON ON ON O O
inter N N N
face
Num 10 10 1013 102 102 10 1011 101 101 102 10 1

ber 11 12 1 2 23 2 3 1 22 0
2
3
VLA 10 10 1013 102 102 10 1011 101 101 102 10 1

N ID 11 12 1 2 23 2 3 1 22 0
2
3
VN un un under und und un unde und und und un u

insta der de lay_3 erla erla der rlay_ erla erla erla de n
nce lay rla y_4 y_5 lay 1 y_2 y_3 y_4 rla d
_1 y_ _6 y_ er
2 5 la
y_
6
Over ON O ON ON ON ON ON ON ON ON O O
lay N N N
tunn
el

SD-WAN
Item Value
Inter IPo IP IPoE IPo IPoE IPo IPoE IPoE IPoE IPo IP IP
face E oE E E E oE o
prot E
ocol
IP Sta St Static Stat Stati Sta Stati Stati Stat Stat St St

addr tic ati ic c tic c c ic ic ati at
ess c c ic
acce
ss
mod
e
IP 17 17 172.1 172. 172. 17 172. 172. 172. 172 17 1

addr 2.1 2.1 6.1.9/ 16.1 16.1 2.1 16.1. 16.1 16.1 . 2. 7
ess/ 6.1. 6.1 30 . . 6.1. 25/3 . . 16. 16 2.
Subn 1/3 . 13/ 17/3 21/ 0 29/3 33/ 1.3 . 1
et 0 5/ 30 0 30 0 30 7/3 1. 6.
mas 30 0 41 1.
k /3 4
0 5/
3
0
Defa 17 17 172.1 172. 172. 17 172. 172. 172. 172 17 1

ult 2.1 2.1 6.1.10 16.1 16.1 2.1 16.1. 16.1 16.1 . 2. 7
gate 6.1. 6.1 .14 .18 6.1. 26 .30 .34 16. 16 2.
way 2 .6 22 1.3 . 1
8 1. 6.
42 1.
4
6
Publi 17 17 172.1 172. 172. 17 172. 172. 172. 172 17 1

c IP 2.1 2.1 6.1.9 16.1 16.1 2.1 16.1. 16.1 16.1 . 2. 7
6.1. 6.1 .13 .17 6.1. 25 .29 .33 16. 16 2.
1 .5 21 1.3 . 1
7 1. 6.
41 1.
4
5
Upli 10 10 100 100 100 10 100 100 100 100 10 1

nk 0 0 0 0 0
band 0
widt
h
(Mb
ps)

SD-WAN
Item Value
Dow 10 10 100 100 100 10 100 100 100 100 10 1

nlink 0 0 0 0 0
band 0
widt
h
(Mb
ps)
URL- ON O ON ON ON ON ON ON ON ON O O
base N N N
d
depl
oym
ent

Item Value
Site Agg1
RR OFF
Conne Hub1, Hub2

ct to
RR
Gatew Dual Gateways

ay
Site Agg
templa
te
Device Agg1_1 Agg1_2
Link ISP1 ISP1 ISP1_Lo ISP2_ ISP ISP ISP ISP3_ ISP3_Lo
name _1 _2 1 2_ 2_L 3_1 2
2 o
Interfa GE0/ GE0 LoopBa GE0/ GE Lo GE GE0/0 LoopBack90

ce 0/1 /0/2 ck901 0/1 0/ op 0/0 /9 3
0/ Ba /8
2 ck9
02
Sub- OFF ON - OFF O - OF ON -

interfa N F
ce
Numb - 103 - - 10 - - 1033 -

er 1 32

SD-WAN
Item Value
VLAN - 103 - - 10 - - 1033 -

ID 1 32
VN unde und underla under un un und underl underlay_3

instanc rlay_ erla y_1 lay_2 de der erla ay_3
e 1 y_1 rla lay y_3
y_ _2
2
Overla OFF OFF ON OFF OF ON OF OFF ON

y F F
tunnel
Interfa IPoE IPoE IPoE IPoE IP IPo IPo IPoE IPoE

ce oE E E
protoc
ol
IP Stati Stati Static Static St Sta Stat Static Static

addres c c ati tic ic
s c
access
mode
IP 172. 172. 172.16.2 172.1 17 17 172 172.1 172.16.200.

addres 16.2. 16.1 00.1/32 6.2.5/ 2.1 2.1 . 6.100. 3/32
s/ 1/30 00.1 30 6.1 6.2 16. 9/30
Subnet /30 00. 00. 2.9/
mask 5/ 2/3 30
30 2
Defaul 172. 172. - 172.1 17 - 172 172.1 -

t 16.2. 16.1 6.2.6 2.1 . 6.100.
gatew 2 00.2 6.1 16. 10
ay 00. 2.1
6 0
NAT OFF OFF - OFF OF - OF OFF -

travers F F
al
Uplink 100 100 - 100 10 - 100 100 -

bandw 0
idth
(Mbps
)
Downli 100 100 - 100 10 - 100 100 -

nk 0
bandw
idth
(Mbps
)

SD-WAN
Item Value
URL- ON OFF - ON OF - ON OFF -

based F
deploy
ment
Southb Publi - - Public - - Pub - -

ound c Defau lic
interfa Defa lt Def
ce ult South ault
service Sout Acces Sou
h s th
Acce Acc
ss ess

Item Value
Site Site1
RR OFF
Connect to RR Hub1, Hub2
Site template Branch
Device Site1_1 Site1_2
Link name ISP1_1 ISP2_1 ISP3_1
Sub-interface OFF OFF OFF
VN instance underlay_1 underlay_2 underlay_3
Overlay tunnel ON ON ON
Interface protocol IPoE IPoE IPoE
IP address access Static Static Static

mode
IP address/Subnet 172.16.3.1/30 172.16.3.5/30 172.16.3.9/30

mask
Default gateway 172.16.3.2 172.16.3.6 172.16.3.10
NAT traversal OFF OFF OFF
Uplink bandwidth 100 100 100

(Mbps)

SD-WAN
Item Value
Downlink bandwidth 100 100 100

(Mbps)
URL-based ON ON ON
deployment
Item Value
password
Device Hub1_1 Hub1_ Hub2_ Hub2_2

2 1
WAN Link ISP1 ISP2 ISP1 ISP2
NTP Server Address 10.10.1.1 10.10.1 10.10.1 10.10.1.1

.1 .1
Item Value
Item Value
VN VPN1
IPSec ON
Encryption

SD-WAN
Item Value
Site Name Hub1, Hub2, Agg1, Site1
Area Area default Area1

Topo
logy Sites Hub1, Hub2 Agg1, Site1
Topolo Hub-spoke Hub-spoke

gy
mode
Hub Priority of Hub1: Priority of Agg1: 1

sites 1
Priority of Hub2:
2
Branch ON ON
to
Branch
Interc
onnect
ion
Branch Hub1, Hub2 Agg1

to
Branch
Hub
Border Hub1, Hub2 Agg1

sites
Area Topolo Hub-spoke

Inter gy
conn mode
ectio
n Hub Active: Hub1
sites Standby: Hub2
Procedure
3. Configure the routing domain.

SD-WAN
4. Configure transport networks.


SD-WAN
8. Click OK.

SD-WAN
13. Click OK.

● Hub site template
● Agg site template

SD-WAN
● Branch site template

displayed.

OK.

SD-WAN

5. Click OK.
● Hub1 and Hub2 sites

SD-WAN
● Agg1 site
● Site1 site

1. Configure WAN links for the Hub1 and Hub2.
information.

SD-WAN


SD-WAN

SD-WAN

SD-WAN

SD-WAN

SD-WAN

SD-WAN

SD-WAN

SD-WAN

SD-WAN

SD-WAN

SD-WAN

SD-WAN

SD-WAN
a. Click NTP.
3. Configure WAN links for Agg1.

– Import the Agg site template.

SD-WAN
– Configure a WAN link on GE0/0/1 for ISP1 to connect to Hub1, and

ensure that the overlay tunneling function is disabled on GE0/0/1.

SD-WAN
– Configure a WAN link on GE0/0/2.1031 for ISP1 to connect to Site1, and

ensure that the VN instance is the same as that for the WAN link ISP1_1.

SD-WAN

SD-WAN
– Configure a WAN link on the loopback interface for Agg1 to establish an

overlay tunnel with ISP1, and ensure that the VN instance is the same as
that for the links ISP1_1 and ISP1_2 connected to ISP1.
– Configure WAN links for Agg1 to connect to ISP2.

SD-WAN

SD-WAN

SD-WAN
– Configure WAN links for Agg1 to connect to ISP3.

SD-WAN

SD-WAN

SD-WAN
4. Configure WAN links for Site1.

– Import the Branch site template.

SD-WAN
– Configure WAN links on GE0/0/1 for Site1 to connect to ISP1 and then
interconnect with Agg1.

SD-WAN

SD-WAN

SD-WAN
5. Configure NTP for Agg1 and Site1.

SD-WAN

b. In the site list on the left, click the created site.
c. Click NTP and the NTP page is displayed, select a time zone.
d. Set NTP client mode to Automatic Synchronization with Parent Node.
e. Click OK.


SD-WAN

1. Create a VN.
d. Click OK.

SD-WAN

c. On the Predefine Topology page, click Advanced Mode.
d. On the Area Topology tab page, click corresponding to the default

area.
▪ Configure the default area.
▪ On the Area Topology tab page, click Create to create area Area1.

SD-WAN
▪ On the Area Interconnection tab page, set the inter-area topology

mode.
NOTE
In this example, Hub1 functions as the active hub site and Hub2 as the
standby hub site for all sub-branches. To enable Hub1 to function as the
active hub site for some sub-branches and Hub2 to function as the active
hub site for the other sub-branches, you need to customize a topology
policy. For the sub-branches using Hub2 as the active hub site, set a higher
priority for the next-hop site (Hub2) than for Hub1.
----End
1.3.7 Building a Multi-Hub SD-WAN Network Using the Hub-

Spoke Topology
Related Products
AR: V300R019C11SPC200

SD-WAN
Bank B needs to build an SD-WAN network to replace its legacy network. To
improve service reliability, it deploys three DCs in China for disaster recovery.
Based on geographical locations, each branch uses the nearest DC as the active
DC and other two DCs as the standby DCs. Branch sites can directly communicate
with the DCs, and can communicate with each other through the DCs.
Solution Design
tasks:

edge-RR site In this example, the site where each DC resides is deployed as an
edge-RR site. The uses Hub1, Hub2, and Hub3 as an example. Other branch
sites are deployed as edge sites. The following uses Site1, Site2, and Site3 as
an example.
2. Hub1, Hub2, and Hub3 have high reliability requirements. Each of them uses
two CPEs as gateways. Each CPE connects to the ISP private line network
through two WAN links. Site1, Site2, and Site3 use a single CPE as the
gateway and connect to the ISP private line network through one WAN link.
4. To enable direct communication between branch sites and the DCs and
prevent direct communication between branch sites, the overlay network uses
the hub-spoke networking. For different branch sites, different priorities are
set for hub sites to work in active/standby mode. Site1 uses Hub1 as the

SD-WAN
active hub site and Hub2 and Hub3 as the standby hub sites; Site2 uses Hub2
as the active hub site and Hub1 and Hub3 as standby hub sites; Site3 uses
Hub3 as the active hub site and Hub1 and Hub2 are standby hub sites. The
branch sites communicate with each other through hub sites. In this example,
Hub1 and Hub2 are configured as the hub sites for branch interconnection.
Data Plan
Item Value
Tenant Name TenantA
Password PassA@1234
Item Value
Transport Network MPLS
Routing Domain MPLS
IPSec Encryption ON
Life time 1440
Token validity period 7

(day)
Password of User test@123

Admin
AS number 65001
Community pool 100
IP pool 10.200.0.0/16
Item Value
Template name Hub Branch

SD-WAN
Item Value
WAN Name MPLS1 MPLS2 MPLS

Link
Device Device1 Device2 Device1
Interfac GE3/0/0 GE3/0/0 GE0/0/1

e
Overlay ON ON ON
tunnel
Transpo MPLS MPLS MPLS

rt
Networ
k
Role Active Active Active
Inter- Reuse OFF -

CPE LAN-
Link side L2
interfac
e
VLAN 4000 - 4008 -

ID
Device1 GE3/0/2 GE3/0/3 -

Interfac
e
Device2 GE3/0/2 GE3/0/3 -

Interfac
e

2102115640DMK4000011 Hub1_1 AR6300
2102115640DMK4000012 Hub1_2 AR6300
2102115640DMK4000013 Hub2_1 AR6300
2102115640DMK4000014 Hub2_2 AR6300
2102115640DMK4000015 Hub3_1 AR6300
2102115640DMK4000016 Hub3_2 AR6300
1002353BVK19A1110001 Site1_1 AR6121

SD-WAN
1002353BVK19A1110002 Site2_1 AR6121
1002353BVK19A1110003 Site3_1 AR6121
Table 1-67 Site design and ZTP configurations at sites (1)

Item Value
Site Hub1 Hub2 Hub3
RR ON ON ON
Gate Dual Dual Gateways Dual Gateways

way Gateways
Site Hub Hub Hub

tem
plate
Devi Hub Hub1_ Hub2_1 Hub2_2 Hub3_1 Hub3_2

ce 1_1 2
Link MPL MPLS2 MPLS1 MPLS2 MPLS1 MPLS2

nam S1
e
VN unde underl underlay_ underlay underlay_ underlay_2

insta rlay_ ay_2 1 _2 1
nce 1
Over ON ON ON ON ON ON
lay
tunn
el
Inter IPoE IPoE IPoE IPoE IPoE IPoE

face
prot
ocol
IP Stati Static Static Static Static Static

addr c
ess
acce
ss
mod
e

SD-WAN
Item Value
IP 172. 172.16. 172.16.3. 172.16.4 172.16.5.1 172.16.6.1/30

addr 16.1. 2.1/30 1/30 .1/30 /30
ess/ 1/30
Subn
et
mas
k
Defa 172. 172.16. 172.16.3. 172.16.4 172.16.5.2 172.16.6.2

ult 16.1. 2.2 2 .2
gate 2
way
Publi 172. 172.16. 172.16.3. 172.16.4 172.16.5.1 172.16.6.1

c IP 16.1. 2.1 1 .1
1
Upli 100 100 100 100 100 100

nk
band
widt
h
(Mb
ps)
Dow 100 100 100 100 100 100

nlink
band
widt
h
(Mb
ps)
base
d
depl
oym
ent
Table 1-68 Site design and ZTP configurations at sites (2)

Item Value
Site Site1 Site2 Site3
RR OFF OFF OFF
Connect to RR Hub1, Hub2 Hub2, Hub3 Hub2, Hub3

SD-WAN
Item Value
Gateway Single Gateway Single Gateway Single

Gateway
Site template Branch Branch Branch
Device Site1_1 Site2_1 Site3_1
Link name MPLS MPLS MPLS
VN instance underlay_1 underlay_1 underlay_1
Overlay tunnel ON ON ON
Interface protocol IPoE IPoE IPoE
IP address access Static Static Static

mode
IP address/Subnet 172.16.7.1/30 172.16.8.1/30 172.16.9.1/30

mask
Default gateway 172.16.7.2 172.16.8.2 172.16.9.2
NAT traversal OFF OFF OFF
Uplink bandwidth 100 100 100

(Mbps)
Downlink bandwidth 100 100 100

(Mbps)
URL-based ON ON ON
deployment

Item Value
Authentication password ntp123
WAN Link MPLS1 MPLS2
NTP Server Address 10.10.1.1 10.10.1.1
Authentication OFF OFF

SD-WAN
Item Value
Item Value
VN VPN1
IPSec ON
Encrypti
on
Site Hub1, Hub2, Hub3, Site1, Site2, Site3

Name
Topolog Hub-spoke
y mode
Hub Hub1, Hub2, Hub3

sites
Branch ON
to
Branch
Interco
nnectio
n
Branch Hub1, Hub2

to
Branch
Hub
Priority Site Hub1: 1; Hub2: 2; Hub3: 3

1
Site Hub1: 2; Hub2: 1; Hub3: 3

2
Site Hub1: 2; Hub2: 3; Hub3: 1

3
Procedure

SD-WAN

3. Retain the system default MPLS for the routing domain. No additional
4. Retain the system default MPLS for the transport network. No additional


SD-WAN
8. Click OK.
13. Click OK.

SD-WAN

displayed.
OK.

SD-WAN

5. Click OK.
● Edge-RR site

SD-WAN
● Edge site

SD-WAN

SD-WAN

information.

– Configure WAN links for Hub1.

SD-WAN

SD-WAN
– Configure WAN links for Hub2 and Hub3 by referring to the WAN link
configuration for Hub1.

SD-WAN

a. Click NTP.
▪ Configure WAN links for Hub1.
▪ Configure NTP for Hub2 and Hub3 by referring to the NTP

configuration for Hub1.
– Configure WAN links for Site1.

SD-WAN
– Configure WAN links for Site2 and Site3 by referring to the WAN link
configuration for Site1.

SD-WAN

c. Click OK.

– Set Hub1 and Hub2 as the RR sites for Site1.

SD-WAN
– Select Hub2 and Hub3 as the RR sites for both Site2 and Site3.

1. Create a VN.
d. Click OK.

SD-WAN

d. Click OK.
– Enable Branch to Branch Interconnection, and select Hub1 and Hub2 as

the hub sites for branch interconnection.
– Set the priority of Hub1 (active hub site for Site1) to 1, and set the
priorities of Hub2 and Hub3 (standby hub sites for Site1) to 2 and 3
respectively.
respectively.

SD-WAN
respectively.
----End
1.3.8 Connecting Sites to an MPLS Backbone Network

Through Gateways
Related Products
AR: V300R019C11SPC200
An MSP provides SD-WAN services for enterprise A and completes network
deployment for implementing mutual access between the headquarters and
branches and between branches. The headquarters and branches of enterprise A
are widely distributed, and need to communicate with each other efficiently
through an MPLS backbone network. Therefore, in the SD-WAN networking
solution, the MSP needs to provide gateways for interconnection with the MPLS
backbone network. Figure 1-9 shows the SD-WAN networking diagram of
enterprise A.
Solution Design
The MSP needs to provide enterprise A with services for interconnection between
the gateways and MPLS backbone network. Therefore, the MSP needs to deploy
RR and gateway sites. In addition, this solution uses the MSP-operated mode, in

SD-WAN
which the MSP administrator configures the MSP's RR and gateway sites as well as
the tenant's SD-WAN sites. The networking is designed as follows:
1. To improve reliability, two RR sites are deployed in active/standby mode, for

example, RR1 and RR2 in Figure 1-9. Each is connected to the MPLS and
Internet networks through two WAN links respectively.
2. Two gateway sites are deployed in active/standby mode, for example, GW1
and GW2 in Figure 1-9 . Each is connected to the MPLS and Internet
networks through two WAN links respectively. On the LAN side, the gateways
are connected to PEs on the MPLS backbone network. The Option B solution
is used, and routes are configured for GW1 and GW2 to communicate with
PEs.
3. Hub1 uses two CPEs as its gateways. Each CPE is connected to the MPLS and
Internet networks through two WAN links respectively and communicates
with the MSP's gateways. Site1 uses a single CPE as its gateway, which is
connected to the MPLS and Internet networks through two WAN links and
communicates with the MSP's gateways. In such networking, Hub1 and Site1
are connected to the MSP's gateways and communicate with each other
through the MPLS backbone network. Some branches have not joined the SD-
WAN network and communicate with Hub1 and Site1 as legacy sites through
the MPLS backbone network and MSP's gateways.
Data Plan
Table 1-72 MSP and tenant information
Item Value
MSP Name MSPA
MSP Account [email protected]
MSP Password MSPAPass@1234
Tenant Name TenantA
Tenant Account [email protected]
Tenant Password PassA@1234
Table 1-73 MSP network parameter settings
Item Value
Transport MPLS Internet

Network
IPSec Encryption OFF ON
AS number 65001

SD-WAN
Item Value
Community pool 100
IP pool 10.50.0.0/16
Authentication SHA2-256
algorithm
Encryption AES256
algorithm
Life time 1440

key
URL opening 7
validity period
(day)
User Admin
Table 1-74 MSP device capabilities

Device Type Tenant VN Site Count
Model Count Count
AR6280 RR 50 - 1000
AR6280 IWG - 100 200
Table 1-75 MSP device information

21021156411234500081 RR1 AR6280
21021156411234500082 RR2 AR6280
21021156411234500083 GW1 AR6280
21021156411234500084 GW2 AR6280
Table 1-76 RR and gateway site design and ZTP configurations

Item Value
Site RR1 RR2 GW1 GW2

SD-WAN
Item Value
Connec - - RR1, RR2 RR1, RR2

t to RR
Device RR1 RR2 GW1 GW2
Link MPLS Inter MPLS Inter MPLS Internet MPLS Internet

name net net
Transp MPLS Inter MPLS Inter MPLS Internet MPLS Internet

ort net net
networ
k
Interfa GE0/0 GE0/ GE0/0 GE0/ GE0/0 GE0/0/1 GE0/0 GE0/0/1

ce /0 0/1 /0 0/1 /0 /0
VN under unde underl unde underl underlay underl underla

instanc lay_1 rlay_ ay_1 rlay_ ay_1 _2 ay_1 y_2
e 2 2
y
tunnel
Interfa IPoE IPoE IPoE IPoE IPoE IPoE IPoE IPoE

ce
protoc
ol
IP Static Static Static Static Static Static Static Static

addres
s
access
mode
IP 172.1 10.10 172.16 10.10 172.1 10.100.10 172.16 10.100.

addres 6.101. 0.101 . 0.102 6.103. 3.1/30 . 104.1/3
s/ 1/30 .1/30 102.1/ .1/30 1/30 104.1/ 0
Subnet 30 30
mask
Default 172.1 10.10 172.16 10.10 172.1 10.100.10 172.16 10.100.

gatewa 6.101. 0.101 .102.2 0.102 6.103. 3.2 .104.2 104.2
y 2 .2 .2 2
Public 172.1 10.10 172.16 10.10 - - - -

IP 6.101. 0.101 .102.1 0.102
addres 1 .1 .1
s
NAT OFF OFF OFF OFF OFF ON OFF ON

travers
al

SD-WAN
Item Value
Uplink 100 100 100 100 100 100 100 100

bandwi
dth
(Mbps)
Downli 100 100 100 100 100 100 100 100

nk
bandwi
dth
(Mbps)
based
deploy
ment
Table 1-77 NTP information of RR sites

Item Value
Time zone (UTC+08:00)Beijing,Chongqing,Hong

Kong,Urumqi
Authentication password ntp123
Device RR1 RR2
WAN Link MPLS Internet MPLS Internet
NTP Server Address 10.10.1 10.10.1.1 10.10.1.1 10.10.1.1

.1
Table 1-78 NTP information of gateway sites

Item Value

SD-WAN
Table 1-79 Underlay route information

Item Value
Site RR1 RR1 RR2 RR2 GW1 GW1 GW GW2

2
Devic 60 60 60 60 60 60 60 60
e
Priori MPLS Intern MPL Interne MPL Internet MP Internet

ty et S t S LS
WAN 0.0.0. 0.0.0. 0.0.0. 0.0.0.0 0.0.0 0.0.0.0/ 0.0. 0.0.0.0/0

link 0/0 0/0 0/0 /0 .0/0 0 0.0/
0
Desti IP IP IP IP IP IP IP IP address
natio addre addre addr addres addr address add
n ss ss ess s ess ress
addr
ess/
mask
Next 172.1 10.10 172. 10.100. 172. 10.100. 172 10.100.104.2

-hop 6.101 0.101. 16.1 102.2 16.1 103.2 .
type .2 2 02.2 03.2 16.
104
.2
IP OFF OFF OFF OFF OFF OFF OFF OFF

addr
ess
Track
Table 1-80 Interconnection configurations of gateways in the Option B solution

Item Value
Gateway GW1 GW2
L3 Inter GE0/0/ GE0/0/ GE0/0/ GE0/0/2

Int face 2 2 2
erf
ac Sub- 4010 4011 4012 4013
e inter
face
VLA
N ID
IP 10.255. 10.255. 10.255. 10.255.1.13/30

addr 1.1/30 1.5/30 1.9/30
ess

SD-WAN
Item Value
MTU 1500 1500 1500 1500
MSS 1200 1200 1200 1200
Ro Prot Static Static Static Static

ute ocol
Priori 60 60 60 60
ty
Desti 192.16 192.16 192.16 192.168.0.0/16

natio 8.0.0/1 8.0.0/1 8.0.0/1
n 6 6 6
Addr
ess/
Mas
k
Next IP IP IP IP address
-hop addres address address
type s
IP 10.255. 10.255. 10.255. 10.255.1.14

addr 1.2 1.6 1.10
ess
BG Peer 10.255. 10.255. 10.255. 10.255.1.14

P IP 1.2 1.6 1.10
VP Addr
NV ess
4
Peer 65400 65400 65400 65400
AS
Local 65401 65401 65401 65401

AS
MD5 admin admin1 admin1 admin123

encr 123 23 23
yptio
n
Routi - - - -
ng
Polic
y
(Exp
ort)

SD-WAN
Item Value
Routi - - - -
ng
Polic
y
(Imp
ort)
Table 1-81 Group information

Item Value
Grou Group1 Group2

p
Nam
e
Gate GW1 GW2

way
RR RR1 RR2
Table 1-82 Services provided for tenants

Item Value
Tenant [email protected]
account
RR Share Share
Servi mode
ce
GW Inter OptionB
Servi worki
ce ng
mode
Share Share
mode
None VPN NoneSdwan_VPN1

- Nam
SDW e
AN
VPN Impor 2:2
t VPN
targe
t

SD-WAN
Item Value
Expor 2:2
t VPN
targe
t
Table 1-83 Tenant network device information

Item Value

Network
Routing Domain MPLS(MSP) Internet(MSP)
Encryption AES256
algorithm
Life time 1440

key
URL opening 7
validity period
(day)
User Admin
AS number 65001
Community pool 100
IP pool 10.200.0.0/16
Table 1-84 Tenant site templates

Item Value
Template Hub Branch1

name
WA Na MPLS1 Internet1 MPLS2 Interne MPLS Internet

N me t2
Link

SD-WAN
Item Value
Devi Device1 Device2 Device1 Device1

ce
Inte GE0/0/ GE0/0/1 GE0/0/ GE0/0/ GE0/0/3 GE0/0/4

rfac 0 0 1
e
Ove ON ON ON ON ON ON
rlay
tun
nel
Tran MPLS Internet MPLS Interne MPLS Internet

spor t
t
Net
wor
k
Inte Reu OFF - -

r- se
CPE LAN
Link -
side
L2
inte
rfac
e
VLA 4000 - 4008 - -

N
ID
Devi GE0/0/2 GE0/0/3 - -

ce1
Inte
rfac
e
Devi GE0/0/2 GE0/0/3 - -

ce2
Inte
rfac
e

SD-WAN
Table 1-85 Tenant device information
21021156411234500085 Hub1_1 AR6280
21021156411234500086 Hub1_2 AR6280
1002353BVK19A1110081 Site1_1 AR6121
Table 1-86 Site design and ZTP configurations
Item Value
Site Hub1 Site1
RR OFF OFF
Connect Group1, Group2 Group1, Group2

to RR
Gatewa Dual Gateways Single Gateway

y
Site Hub Branch1

templat
e
Device Hub1_1 Hub1_2 Site1_1
Link MPLS1 Internet MPLS2 Internet2 MPLS Internet

name 1
VN underlay underla underl underlay_ underlay_ underlay_2

instance _1 y_2 ay_1 2 1
Overlay ON ON ON ON ON ON
tunnel
Interfac IPoE IPoE IPoE IPoE IPoE IPoE

e
protocol
IP Static Static Static Static Static Static

address
access
mode
IP 172.16.1. 10.100. 172.16. 10.100.2.1 172.16.3.1 10.100.3.1/3

address/ 1/30 1.1/30 2.1/30 /30 /30 0
Subnet
mask
Default 172.16.1. 10.100. 172.16. 10.100.2.2 172.16.3.2 10.100.3.2

gatewa 2 1.2 2.2
y

SD-WAN
Item Value
NAT OFF ON OFF ON OFF ON

traversa
l
Uplink 100 100 100 100 100 100

bandwi
dth
(Mbps)
Downlin 100 100 100 100 100 100

k
bandwi
dth
(Mbps)
based
deploy
ment
Table 1-87 NTP information of edge sites

Item Value
Table 1-88 Basic information about sites on the overlay network

Item Value
VN VPN1
IPSec Encryption ON
Site Name Hub1, Site1
Table 1-89 Network configurations for accessing a non-SD-WAN VPN

Item Value
VN VPN1
Site Hub1, Site1

SD-WAN
Item Value
None-SDWAN GW_VPN1
VPN
Active GW Group1
Standby GW Group2
Bandwidth Gold Package

Package
Procedure
Step 1 Log in to the iMaster NCE-WAN as a MSP administrator.
Step 2 Set MSP network parameters.
2. Retain the system defaults MPLS and Internet for Routing Domain and
Transport Network, respectively

SD-WAN

Enter a URL encryption key, and set URL opening validity period.
8. Click OK.
Step 3 On the MSP portal, add devices based on device ESNs in batches.
displayed.

OK.
Step 4 Configure device capabilities.

1. Choose Design > Devices Management > Device Capability. The Device
Capability page is displayed.
Click Create and add new models as RRs and gateways.

SD-WAN
Step 5 Create RR sites.

1. Choose Design > RR.
2. On the RR page that is displayed, click Create.

SD-WAN
3. Enter RR information.
4. In the Add Device area, select the added devices.
5. Click OK.
Step 6 Create gateway sites.

1. Choose Design > Gateway.
2. On the Gateway page that is displayed, click Create.
3. Enter gateway information
4. In the Add Device area, select the added devices.
5. Click OK.

SD-WAN
Step 7 Configure ZTP for RRs.

1. Configure WAN links for RRs.
b. In the list on the left, select a site. On the WAN Link page that is
c. In the Set WAN Link dialog box that is displayed, set WAN link
parameters.
d. After all WAN links of the site are configured, click OK.
– Configure WAN links for RR1

SD-WAN

SD-WAN
– Configure WAN links for RR2

SD-WAN

SD-WAN
2. Configure NTP for RRs.

SD-WAN
a. Click NTP.
– NTP configuration for RR1
– NTP configuration for RR2
Step 8 Configure ZTP for gateways.

1. Configure WAN links for gateways.
b. In the list on the left, click a site. On the WAN Link page that is
c. In the Set WAN Link dialog box that is displayed, set WAN link
parameters.
d. After all WAN links of the site are configured, click OK.
– Configure WAN links for GW1

SD-WAN

SD-WAN
– Configure WAN links for GW2

SD-WAN

SD-WAN
2. Configure NTP for gateways.

SD-WAN
a. Click NTP and the NTP page is displayed, select a time zone.
c. Click OK.
Step 9 Connect the gateways to the RRs.

Step 10 Configure underlay network routes for the RRs and gateways.
1. Choose Provision > WAN Configuration.
2. In the list on the left, select the RR or gateway to be configured, and click
WAN Route.
3. On the WAN Route page that is displayed, click Click Here to Add Routing
Protocol and set Protocol to IPv4 Static.
4. On the IPv4 Static tab page, click Create and configure static routes.
● Configure BGP routes for RR1

SD-WAN
● Configure BGP routes for RR2
● Configure BGP routes for GW1
● Configure BGP routes for GW2
Step 11 Configure Layer 3 interfaces in of the gateways in the Option B interconnection

solution.
1. Choose Provision > Interworking Configuration.
2. In the list on the left, select a gateway to be configured and click L3
Interface.
3. On the L3 Interface page that is displayed, click Create and configure a Layer
3 interface for the gateway to interconnect with PEs.
● Configure a Layer 3 interface for GW1.

SD-WAN
● Configure a Layer 3 interface for GW2.

SD-WAN
Step 12 Configure routes for gateways in the Option B solution.

1. Choose Provision > WAN Configuration.
2. In the list on the left, select a gateway to be configured and click Route.
3. On the Route page that is displayed, click Create and configure static routes
for the gateway to interconnect with PEs.
● Configure routes for GW1.

SD-WAN
● Configure routes for GW2.

SD-WAN
Step 13 Configure BGP for gateways in the Option B interconnection solution.

SD-WAN
1. Choose Provision > Interworking Configuration.

2. In the list on the left, select a gateway to be configured and click BGP
VPNV4.
3. On the BGP VPNv4 page that is displayed, click Create and configure static
routes for the gateway to interconnect with PEs.
● Configure BGP for GW1.
● Configure BGP for GW2.

SD-WAN
Step 14 Configure RR and gateway groups.

1. Choose Provision > Group Management.
2. On the Group Management page that is displayed, click Create to create a
group. Set the group name, and add an RR and a gateway to the group.
● Configure Group1.

SD-WAN
● Configure Group2.

SD-WAN
Step 15 Create tenants.

2. On the Tenant List page, click Create and enter tenant and administrator
information. To authorize an MSP administrator to configure sites for the
tenant, enable Authorize MSP. In this case, the configured tenant password is

SD-WAN
the initial password. When the tenant account and password are used for
login for the first time, the password must be changed.

SD-WAN
Step 16 Configure services provided by the RRs for tenants.

1. Choose Provision > RR Service.
2. Select the tenant to be configured from the list on the left. On the RR Service
page that is displayed, switch on Enable, set Share mode to Share, and click
OK.
Step 17 Configure services provided by the gateways for tenants.

1. Choose Provision > GW Service.
2. Select the tenant to be configured from the list on the left, switch on Enable,
configure gateway services, and click OK.
Step 18 Use the MSP account to log in to the tenant portal and complete tenant
configuration.
2. Click the tenant name. The tenant management page is displayed.
Step 19 Set tenant network parameters.

3. Retain the default setting for the routing domain of the MSP.
5. ISet IPSec encryption parameters.

SD-WAN

Enter a URL encryption key, and set URL opening validity period.
8. Click OK.
Use the same AS number and community attribute pool as those of the MSP.

SD-WAN
13. Click OK.

displayed.

OK.

SD-WAN
Step 22 Create sites.

5. Click OK.
● Create Hub1.
● Create Site1.

1. Configure WAN links for sites.

SD-WAN


e. Click OK.

SD-WAN

SD-WAN

SD-WAN

SD-WAN

SD-WAN

SD-WAN

SD-WAN

SD-WAN
2. Configure NTP for sites.

a. Click NTP.
Step 24 Configure the connection to the RR.

access area you want to connect and click Detect.
3. When Detect State is Success, click OK.
Step 25 Create a VN.

1. Choose Provision > Overlay Network.
2. On the Virtual Network page, click Create.
3. Enter the VN name and select the site to be added to the VN.
4. Click OK.

SD-WAN
Step 26 Connect sites to the MSP's IWGs.

1. Choose Provision > Connect to IWG.
2. On the Access Network page that is displayed, select a VN.
3. Click Bundling with None-SDWAN VPN and select the VPN to be accessed.

SD-WAN
4. On the GW Selection page, click Add and configure the active and standby
gateways to be accessed by sites.

SD-WAN
----End
1.4 Configuring WAN-side Routes for Sites (Underlay

Network)
1.4.1 Configuring BGP and Static Routes

Related Products
AR: V300R019C10SPC300
Figure 1-10 shows the SD-WAN networking of Enterprise A. During the setup of
an SD-WAN network, the tenant administrator needs to configure connectivity
between the CPEs and the WAN-side network.

SD-WAN
Solution Design
Based on customer requirements and the networking plan, the tenant
administrator has created the edge-RR site and edge sites. To configure routes for
the underlay network, perform the following tasks:
1. BGP is supported in the MPLS network on the WAN side, allowing BGP routes
to be configured on the underlay network for connecting the CPEs and the
MPLS network. To improve the security of the BGP routing protocol, MD5
authentication is enabled. Since BGP is not supported in the Internet, static
routes need to be configured to connect the CPEs to the Internet.
2. The information about BGP peers needs to be configured on the CPE of each
site to enable interconnection between the site and the MPLS network. No
routing policy needs to be configured because currently there is no need to
restrict the network segments in which BGP routes are advertised and
received. This means all BGP routes are advertised and received in every
network segment.
3. When configuring static routes for Internet access, you need to configure a
default route. The Internet link at Site2 obtains a dynamic IP address through
PPPoE. Therefore, an outbound interface is specified as the next hop of the
default route. To quickly detect network faults, you are advised to set an IP
address that is reachable through a public network route as a probe address.
The system then creates an NQA instance using this address as the
destination address for detecting link connectivity. In this example, the probe
address is 10.110.42.160.

SD-WAN
Data Plan
Table 1-90 BGP route information

Item Value
Advanced Default route ON OFF OFF

Settings redistribution
Device Hub1_1 Hub1_2 Site2_1 Site3_1
Peer IP 172.16.1.2 172.16.2.2 172.16. 172.16.

3.2 4.2
Peer AS 100 100 100 100
Local AS 101 102 104 105
Keepalive time (s) 60 60 60 60
Hold time (s) 180 180 180 180
MD5 encrypt admin123 admin123 admin admin1

123 23
WAN link MPLS1 MPLS2 MPLS MPLS
Routing Export OFF OFF OFF OFF

Policy
Import OFF OFF OFF OFF
Table 1-91 Static route information

Ite Value
m
Dev Hub1_1 Hub1_ Hub1 Hub1_2 Site2_ Site2_1 Site3_ Site3_2

ice 1 _2 1 2
Prio 60 60 60 60 60 60 60 60
rity
WA Interne Interne Intern Internet Intern Interne Intern Internet

N t t et et t et
link

SD-WAN
Ite Value
m
Des 0.0.0.0/ 10.110. 0.0.0. 10.110. 0.0.0.0 10.110. 0.0.0.0 10.110.4

tina 0 42.160/ 0/0 42.160/ /0 42.160 /0 2.160/3
tion 32 32 /32 2
add
ress
/
ma
sk
Nex IP IP IP IP Outbo Outbo IP IP

t- address address addre address und und addre address
hop ss interfa interfa ss
typ ce ce
e
IP 10.100. 10.100. 10.10 10.100. - - 10.10 10.100.4

add 1.2 1.2 0.2.2 2.2 0.4.2 .2
ress
Trac ON OFF ON OFF ON OFF ON OFF

k
Tar 10.110. - 10.11 - 10.110 - 10.11 -

get 42.160 0.42.1 . 0.42.1
60 42.160 60
Procedure
Step 2 Finish creating sites.
Step 3 Configure routes for the underlay network of the edge-RR site.
1. Choose Provision > Site Configuration.
2. Select Hub1 from the left list and click WAN Route.
Protocol and select BGP.
4. On the BGP page, click Advanced Settings and enable Default route
redistribution.

SD-WAN
5. On the BGP page, click Create and set BGP route parameters, click Apply.
6. On the WAN Route page that is displayed, click and select IPv4 Static.
Click Create and set static route parameters. On the main page, click Apply.
– IPv4 static routes for Hub1_1

SD-WAN

SD-WAN
Step 4 Configure routes for the underlay networks of the edge sites.

SD-WAN
1. Perform the same operations as those for the edge-RR site to complete BGP
route parameter configuration for Site2 and click Apply.
2. Configure static routes for Site2, and click Apply.

SD-WAN
3. Configure BGP routes for Site3, and click Apply.

SD-WAN
----End

SD-WAN
1.5 Configuring Multi-VPN Isolation
1.5.1 Configuring Multiple VPNs

Related Products
AR: V300R019C10SPC300
Figure 1-11 shows the SD-WAN networking of an enterprise. On the SD-WAN
network built by the tenant, services of the enterprise's R&D, marketing, and
finance departments need to be isolated from each other.
Solution Design
administrator has created the edge-RR sites and edge sites, and has completed the
underlay network configurations. To implement service isolation between the two
departments on the overlay, perform the following tasks:
1. Configure VNs for the two departments. Configure RD for R&D department,
MKT for the marketing department, and FI for the finance department.

SD-WAN
2. Configure the topology and services in the two VNs separately.
Data Plan
Table 1-92 VPN information
Item Value
Name RD MKT FI
IPSec Encryption ON ON ON
Sites Hub1, Site2, Site3 Hub1, Site2, Hub1, Site2, Site3

Site3
Topol Topolog Full-mesh Full-mesh Hub-spoke

ogy y mode
Redirect Hub1 Hub1 -

sites
Hub - - Hub1
sites
Procedure
Step 2 Create sites and configure WAN-side routes on the underlay network.
Step 3 Configure multiple VNs and add sites to VNs.

1. Choose Design > Overlay Network.
2. On the Virtual Network page that is displayed, click Create.
3. Enter the VN name and select the site to be added to the VN and click .
4. Click Apply.

SD-WAN
Step 4 Configure the overlay network topology.

1. Choose Provision > Overlay Network.
2. On the Topology page, select the VN to be configured.
3. On the Predefine Topology page, set Mode and Topology mode, and select
the site to be added to the topology.
4. Click Apply.

SD-WAN
Step 5 Configure overlay networks, traffic policies, and security policies in the RD, MKT,
and FI VNs.
----End
1.6 Configuring LAN-side Interfaces for Sites (Overlay

Network)
1.6.1 Configuring Interconnection Between VLANs and LAN-

side Networks
Related Products
AR: V300R019C10SPC300
Figure 1-12 shows the SD-WAN networking of an enterprise. The requirements for
the two sites on the SD-WAN network to be established by a tenant administrator
are as follows:
● Users at Site2 use the CPE gateway as the DHCP relay agent to obtain IP
addresses from the DHCP server.
● The dual gateways at the branch site Site3, that is, Site3_1 and Site 3_2, are
connected to the Layer 2 network of VLAN 10, and different users are located
in the same network segment. Hosts are dual-homed to Site3_1 and Site3_2
through Layer 2 switches. The user requirements are as follows:
– Hosts at Site3 use Site3_1 as the master gateway to connect to the MPLS
network. If Site3_1 fails, Site3_2 assumes the role of the master,
implementing gateway backup.
– Site3_1 becomes the master gateway again after it recovers.

SD-WAN
Figure 1-12 Enterprise networking diagram
Solution Design
administrator has created sites, and has completed the underlay network
configurations. To implement interconnection between VLANs and LAN-side
overlay networks, as well as deploy the VRRP master and backup gateways,
perform the following tasks:
1. Add LAN-side interfaces to VLANs and configure the interfaces to permit
packets of the VLANs that users belong to. Configure IP addresses for VLANIF
interfaces for Layer 3 connectivity.
– Site2 uses VLAN 10 to manage LAN-side users and VLAN 102 to connect
to the DHCP server.
– Site3 uses VLAN 10 to manage LAN-side users.
2. When adding LAN-side interfaces of Site2_1 to a VLAN, enable the DHCP
relay function. Users in the VLAN can use Site2_1 as the DHCP relay agent to
apply for IP addresses from the DHCP server.
3. Configure the VRRP master and backup gateways. Create a VRRP group and
configure a virtual IP address for this VRRP group.
Site3_1 functions as the master gateway to forward traffic and has the
preemption delay configured to 20s. Site3_2 functions as the backup gateway
to ensure gateway redundancy, and has the preemption delay configured to 0,
indicating immediate preemption.

SD-WAN
Data Plan
Table 1-93 VLAN information

Item Value
Site Site2 Site3
Device Site2_1 Site3_1 Site3_2
VLAN ID 10 102 10 10
Physical GE0/0/5 GE0/0/6 GE0/0/5 GE0/0/5

interfaces
Mode Untag Tag Untag Untag
IP address 10.3.1.254/24 10.102.1.1/ 10.5.1.252/ 10.5.1.253/24

24 24
Trust mode Trust Trust Trust Trust
DHCP type DHCP Relay - - -
DHCP Server 10.102.1.50 - - -

IP
VRRP - - ON ON
VRRP ID - - 10 10
Virtual IP - - 10.5.1.254 10.5.1.254
Default role - - Master Backup
Preempt - - 20 0
delay (s)
Procedure
Step 3 Configure a VLAN for Site2.
template list on the left, click Site2, and click the VLAN tab in the right pane.
3. Click Create and enter VLAN information. On the main page, click Apply.
– VLAN configurations for Site2_1

SD-WAN

SD-WAN
Step 4 Configure a VLAN for Site3.

2. On the Overlay Service page, select a VN. Select Site3_1 from the list on the
left and click the VLAN tab in the right pane.
3. Click Create to configure VLAN parameters.
4. On the Create VLAN page, click Advanced Settings to configure the VRRP
master and backup gateways.
5. After configuring the VLAN and VRRP, click Apply.
– VLAN configuration for Site3_1

SD-WAN

SD-WAN
----End
1.7 Configuring LAN-side Routes for Sites (Overlay

Network)
1.7.1 Configuring LAN-side OSPF Routes
Related Products

SD-WAN

AR: V300R019C10SPC300
Figure 1-13 shows the SD-WAN networking of an enterprise. On the SD-WAN
network constructed by the tenant administrator, two gateways at the Hub1 site
are connected to hosts through the same Layer 3 switch. The gateways and Layer
3 switch are in the same VLAN and therefore belong to the same network
segment. The enterprise requires that the gateways at the Hub1 site communicate
with the Layer 3 switch.
Solution Design
administrator has created the sites, and configured LAN-side interfaces on the
underlay network. To configure LAN-side interfaces on the overlay network and
OSPF routes on the LAN side for interconnection between LAN-side networks,
perform the following tasks:
1. Add the LAN-side interface of Hub1 to a VLAN and configure an IP address
for the VLANIF interface to implement Layer 3 communication.
2. Configure two gateways to run the same OSPF process.
3. Enable OSPF on LAN-side interfaces.

SD-WAN
Data Plan
Table 1-94 LAN-side interfaces information

Item Value
Site Hub1
VLAN ID 10 10
Physical interfaces GE8/0/2 GE8/0/2
Mode Untag Untag
IP address 10.1.1.1/24 10.1.1.2/24
Trust mode Trust Trust

Item Value
Process ID 1001 1001
Common Default route ON ON

Parameter advertisement
Default route cost 1 1
Internal 10 10
preference
ASE preference 150 150
Interface Area ID 0 0
Parameter
Interface Name Vlanif10 Vlanif10
Authentication None None

Mode
Hello Timer 10 10
DR Priority 0 0
Route Protocol - -
Redistribute
Process ID - -
Cost - -
Router Filter Export filter OFF OFF

SD-WAN
Item Value
Import filter OFF OFF
Procedure
Step 3 Configure LAN-side interfaces on the overlay network of sites.
template list on the left, click Site2, and click the VLAN tab in the right pane.
3. Click Create and enter VLAN information. On the main page, click Apply.
– VLAN configurations for Hub1_1
– VLAN configurations for Hub1_2

SD-WAN
Step 4 Configure OSPF routes on the LAN side of Hub1.

template list on the left, click Hub1, and click the LAN Route tab in the right
pane.
3. Click Click Here to Add Routing Protocol, and select OSPF.
4. On the OSPF page, click Create to configure OSPF routes and click Apply on
the main page.
● OSPF configurations for Hub1_1

SD-WAN

SD-WAN
----End
1.8 Configuring Intelligent Traffic Steering
1.8.1 Configuring a Link Quality-based Traffic Steering Policy

Related Products
AR: V300R019C10SPC300
Figure 1-14 shows the SD-WAN networking of Enterprise A. After the tenant
administrator has completed the SD-WAN network deployment, the customer
requires that key services, including voice, video and telephone services, are

SD-WAN
preferentially transmitted through MPLS links. To utilize multiple uplinks of a site,

as well as improve link reliability and bandwidth efficiency, active and standby
links are configured.
Solution Design
1. Intelligent traffic steering needs to be enabled at the hub and branch sites to
meet customer requirements.
2. VoIP services can be identified based on application groups. For VoIP services,
the active link group consists of MPLS links and the standby link group
consists of Internet links. Internet links are preferentially used to transmit
other services.
Data Plan
Table 1-96 Application group

Item Value
Name test_app_group_VoIP
SA signature database SA_H30071000 (6000+)
SA Predefined Applications VoIP
Custom Applications -

SD-WAN

Item Value
Traffic classifier name test_traffic_VoI test_traffic_service

P
Operator And And
L3 ACL - Priority: 1
Application groups test_app_grou -

p_VoIP
Item Value
Policy name test_traffic_poli test_traffic_policy_service

cy_VoIP
Traffic Classifier Template test_traffic_VoI test_traffic_service

P
Policy Priority 10 20
Switchover Delay (ms) 150 300

Condition
Jitter (ms) 30 40
Packet loss 10 50
rate (‰)
Transport Primary ● Transport ● Transport Network:

Network Transport Network: Internet; Priority: 1
Priority Network MPLS; ● Transport Network: MPLS;
Priority: 1 Priority: 2
● Transport
Network:
Internet;
Priority: 2
Secondary - -
Transport
Network
Site Hub1, Site2, Hub1, Site2, and Site3

and Site3
Procedure

SD-WAN
Step 3 Enable SAC.

1. Choose Policy > Application Management.
2. Click SAC Configuration. The SAC Configuration page is displayed.
3. Click in the Operation column next to Application identification. On the

Application Identification Configuration page that is displayed, enable
Configuration.
4. Click in the Operation column next to FPI. On the FPI Configuration

page that is displayed, enable Configuration.

SD-WAN
Step 4 Configure an application group.

2. Click Application Group. On the Application Group page that is displayed,
click Create.
3. Enter the application group information and select the predefined application
VoIP.

template.

SD-WAN

SD-WAN

----End
1.8.2 Configuring a Load Balancing-based Traffic Steering

Policy
Related Products

SD-WAN
AR: V300R019C10SPC300
Figure 1-15 shows the SD-WAN networking of enterprise A. The tenant
administrator has deployed the SD-WAN network. Branch sites often need to
access the headquarters DC through HTTP. Enterprise A wants HTTP service traffic
to be load balanced among multiple WAN links to fully utilize bandwidth.
Solution Design
1. Configure intelligent traffic steering at each site to meet customer
requirements.
2. Identify HTTP services through an application group, configure the same
priority for the Internet and MPLS network, and enable load balancing for
inter-site traffic. In this example, set Priority to 1 for both the MPLS and
Internet links in Primary Transport Network, and set Inter-TN Policy to
Load balance. In this way, HTTP traffic is load balanced between the MPLS
and Internet links.
Data Plan
Item Value
Name test_app_group_HTTP

SD-WAN
Item Value
SA Predefined Applications HTTP, HTTP2, HTTPS, HTTP_download

Item Value
Traffic classifier test_traffic_HTTP

name
Operator And
L3 ACL -
Application groups test_app_group_HTTP
Item Value
Policy name test_traffic_policy_HTTP
Traffic Classifier test_traffic_HTTP

Template
Policy Priority 10
Switcho Delay (ms) 150

ver
Conditi Jitter (ms) 30
on Packet loss 50
rate (‰)
Transpo Primary ● Transport Network: MPLS; Priority: 1

rt Transport ● Transport Network: Internet; Priority: 2
Networ Network
k
Priority Secondary -
Transport
Network
Advanc Inter-TN Load balance

ed Policy
settings
Action when ECMP
conditions not
met

SD-WAN
Item Value
Switchover Non Pre-emptive

mode
Site Hub1, Site2, and Site3
Procedure
Step 3 Enable SAC.

Configuration.


SD-WAN

click Create.
3. Enter the application group information and select the predefined HTTP
application.

SD-WAN

template.

SD-WAN

SD-WAN

----End

SD-WAN
1.8.3 Configuring a Traffic Steering Policy for Congestion

Avoidance
Related Products
AR: V300R019C10SPC300
Figure 1-16 shows the SD-WAN networking of enterprise A. The tenant
administrator has deployed the SD-WAN network, and the customer requires that
key services, including voice and video conferencing, should be preferentially
transmitted through the MPLS link. To fully utilize the MPLS link bandwidth, the
MPLS link can transmit FTP service traffic when the bandwidth utilization of the
MPLS link is low. When congestion occurs on the MPLS link, FTP services are
scheduled to the Internet link, which does not affect the forwarding of voice and
video conferencing services on the MPLS link.
Solution Design
1. Configure intelligent traffic steering at each site to meet customer
requirements.
2. Identify VoIP and FTP services through an application group, and configure
the MPLS link to take precedence over the Internet link in the primary link

SD-WAN
group and the VoIP service to take precedence over the FTP service. When
congestion occurs on the MPLS link, FTP traffic is preferentially scheduled to
the Internet link with a lower priority because FTP applications have a low
priority.
3. Identify VoIP and FTP services through an application group and configure a
higher priority for the MPLS link than the Internet link. In this example, set
the priority to 1 for the MPLS link and to 2 for the Internet link in Primary
Transport Network. In this way, VoIP and FTP services are preferentially
transmitted over the MPLS link in normal cases.
4. Set a higher priority for the VoIP service than the FTP service in Advanced
settings of the VoIP and FTP traffic policies. When the MPLS link is congested,
FTP service traffic is preferentially scheduled to the Internet link with a lower
priority.
Data Plan
Item Value
Name test_app_group_VoIP test_app_group_FTP
SA signature database SA_H30071000 (6000+) SA_H30071000 (6000+)
SA Predefined VoIP FTP, FTPS, TFTP

Applications
Custom Applications - -
Item Value
Traffic classifier test_traffic_VoIP test_traffic_FTP

name
Operator And And
L3 ACL - -
Application groups test_app_group_VoIP test_app_group_F

TP
Item Value
Policy name test_traffic_poli test_traffic_policy_FTP

cy_VoIP

SD-WAN
Item Value
Traffic Classifier Template test_traffic_VoI test_traffic_FTP

P

Condition
Jitter (ms) 30 40
Packet loss 10 50
rate (‰)
Transport Primary ● Transport ● Transport Network: MPLS;

Network Transport Network: Priority: 1
Priority Network MPLS;
Priority: 1 ● Transport Network:
Internet; Priority: 2
● Transport
Network:
Internet;
Priority: 2
Secondary - -
Transport
Network
Advanced Inter-TN Policy Load balance Load balance

settings
Action when ECMP Discard
conditions not
met
Switchover Non Pre- Non Pre-emptive

mode emptive
Priority 1 5

and Site3
Procedure
Step 3 Enable SAC.

Configuration.

SD-WAN


click Create.
3. Enter the application group information and select the predefined
applications.
● VoIP application group

SD-WAN
● FTP application group

SD-WAN

template.
● Traffic classifier for VoIP

SD-WAN
● Traffic classifier for FTP
– Traffic steering policy for VoIP applications

SD-WAN
– Traffic steering policy for FTP applications


SD-WAN
----End
1.9 Configuring a Site-to-Internet Policy
1.9.1 Configuring Centralized Internet Access Through LAN-

Related Products
AR: V300R019C10SPC300
Figure 1-17 shows the SD-WAN networking of Enterprise A. On this network,
Hub1 and Hub2 sites connect to the Internet on the LAN side. The enterprise
requires that all edge sites access the Internet through Internet links on the LAN
side of Hub1 and Hub2.

SD-WAN
Solution Design
The tenant administrator has completed SD-WAN network configurations. There
are reachable routes between CPEs at Hub1 and Hub2 sites and the Internet on
the LAN side.
1. Access the Internet in centralized access mode.
2. In centralized access mode, traffic from other edge sites to the Internet is
forwarded to Hub1 and Hub2 sites through the overlay network. After CPEs at
Hub1 and Hub2 sites receive the traffic, the CPEs forward the traffic to the
Internet on the LAN side and forward the traffic from the Internet to edge
sites through the overlay network.
Data Plan
Table 1-105 Site-to-Internet policy information
Item Value
Centralize Area ALL

d Internet
access Active Hub1
Internet GW
Standby Hub2
Internet GW
Procedure

SD-WAN

Step 3 Configure Internet access policies for the overlay networks.
2. On the Overlay page, select a VN and click Site-to-Internet, and the Site-to-
Internet page is displayed.
3. Configure centralized Internet access.
a. Enable Centralized Internet access and click .
b. Set Area and Active Internet GW, click in the Operation column.
c. Click OK.
4. Click Apply.
----End
1.9.2 Configuring Centralized Internet Access Through WAN-

Related Products
AR: V300R019C10SPC300
Figure 1-18 shows the SD-WAN networking of Enterprise A. On this network, all
sites are connected to the Internet through Internet links. The legacy site is
directly connected to the MPLS network through an MPLS link and can only access
the Internet through Hub1 site. The enterprise requires that all sites can access the
Internet.

SD-WAN
Solution Design
The tenant administrator has completed SD-WAN network configurations.
1. Hub1 site functions as the gateway for centralized Internet access. All edge
sites and the legacy site can access the Internet through the WAN-side
Internet link of Hub1 site.
2. Site2 and Site3 have local and therefore preferentially access the Internet
locally.
3. Local Internet access also needs to be enabled at Hub1 site.
Data Plan

Item Value
Centralized Area ALL

Internet Active Hub1
access Internet
GW
Local Site Hub1 Site2 Site3

Internet
access Link Internet1: Internet: 1 Internet: 1
Priority 1
Internet2:
2
Policy All

SD-WAN
Procedure

b. Set Area and Active Internet G
4. Configure local Internet access.

a. Enable Local Internet access.
b. Click Create. Select the sites to access the Internet in local mode.
c. Click in the Operation column. Enable NAT and activate the egress
link. Configure a different link priority for each link. On the main page,
click Apply.

SD-WAN
----End
1.9.3 Configuring Hybrid Internet Access Through Local

Internet Links and LAN-side Links of Hubs
Related Products
AR: V300R019C10SPC300
Hub1 and Hub2 sites access the Internet on the LAN side. Site2 is only connected
to the MPLS network through two MPLS links. Site3 and Site4 are connected to
the Internet through Internet links. The enterprise requires that all sites can access
the Internet.

SD-WAN
Solution Design
The tenant administrator has completed SD-WAN network configurations. There
are reachable routes between CPEs at Hub1 and Hub2 sites and the Internet on
the LAN side.
1. Site2 uses the centralized Internet access mode, and thereby Site2 can access
the Internet through the Internet links of Hub1 and Hub2 sites.
2. Site3 and Site4 preferentially use local Internet links to access the Internet.
3. Intranet users at Hub1 and Hub2 sites access the Internet through the LAN-
side Internet link, and services are not forwarded to CPEs at hub sites.
Data Plan
Item Value
Centraliz Area ALL

ed
Internet Active Hub1 and Hub2
access Internet GW
Local Site Site3 Site4

Internet
access Link Priority Internet1: Internet1: 1
1 Internet2: 2
Policy All

SD-WAN
Procedure
Step 3 Configure a site-to-Internet policy for the overlay network.
b. Set Area, Active Internet GW, and Standby Internet GW, click in
the Operation column.
c. Click OK.
4. Configure local Internet access.

a. Enable Local Internet access.
b. Click Create and select a site.
c. Click in the Operation column to activate the egress link. Enable NAT
for Internet links and configure a different link priority for each link. Click
Apply to complete configurations on the main page.

SD-WAN
----End
1.10 Configuring a Site-to-Legacy Site Policy
1.10.1 Configuring Communication Between SD-WAN Sites

and Legacy Sites in Centralized Access Mode
Related Products
AR: V300R019C10SPC300
Site1 is a legacy site outside an SD-WAN network. The enterprise requires that all
SD-WAN sites communicate with Site1.

SD-WAN
Solution Design
The tenant administrator has completed SD-WAN network configurations. Hub1,
Site2, and Site3 site are each connected to the MPLS network through MPLS links,
and Site1 is also connected to the MPLS network. The local access mode can be
configured to enable all sites to communicate with Site1 through local MPLS links.
Data Plan
Table 1-108 Site-to-legacy site policy information

Item Value
Link Priority MPLS MPLS: 1 MPLS: 1

1: 1
MPLS
2: 2
Procedure
Step 3 Configure a site-to-legacy site policy at hub sites on the overlay network to enable
communication between SD-WAN sites and the legacy site.

SD-WAN
2. On the Overlay page, select a VN and click Site-to-Legacy Site. On the Site-
to-Legacy Site tab page, click Local access to configure the access mode.
3. Click Create, select sites.
4. Click IGW to enable the gateway function for communication between SD-
WAN sites and legacy sites.
5. Click in the Operation column to activate the egress link. Configure the
link priority and click Apply on the main page.

SD-WAN
----End
1.10.2 Configuring Communication Between SD-WAN Sites

and the Legacy Site in Hybrid Access Mode
Related Products
AR: V300R019C10SPC300
Site1 is a legacy site outside an SD-WAN network. The enterprise requires that all
SD-WAN sites communicate with Site1.

SD-WAN
Solution Design
The tenant administrator has completed SD-WAN network configurations. Hub1
and Hub2 site are each connected to the MPLS network through an MPLS link.
Site1 is also connected to the MPLS network. Site2 and Site3 are connected to the
MPLS network, whereas Site4 is connected only to the Internet. Therefore, Site2
and Site3 communicate with Site1 through local MPLS links in local access mode,
while Site4 communicates with Site1 through Hub1 and Hub2 sites in centralized
access mode.
Data Plan
Item Value
Centraliz Hub1 Hub2

ed
access
Link MPLS1: 1 MPLS1: 1

Priority MPLS2: 2 MPLS2: 2
IGW ON ON
Role Active Standby
Local Site2 Site3

access
Link MPLS1: 1 MPLS1: 1

Priority MPLS2: 2

SD-WAN
Procedure
Step 3 Configure a site-to-legacy site policy at hub sites on the overlay network to enable
communication between SD-WAN sites and the legacy site.
2. On the Overlay page, select a VN and click Site-to-Legacy Site.
3. Configure centralized access mode.
a. On the Site-to-Legacy Site tab page, enable Centralized access.
b. Click Create, select hub sites.
c. Click IGW to enable the gateway function for communication between

SD-WAN sites and legacy sites.
d. Click in the Operation column to activate the egress link and

configure the link priority.

SD-WAN
4. Configure local access mode.

a. On the Site-to-Legacy Site tab page, enable Local access.
b. Click Create and select a site.
c. Click in the Operation column to activate the egress link. Configure

the link priority and click Apply on the main page.

SD-WAN
----End
1.11 Configuring a QoS Policy
1.11.1 Configuring Preferential Transmission of HTTP Services

from Branch Sites to Hub Sites
Related Products
AR: V300R019C10SPC300
Figure 1-22 shows the SD-WAN networking of Enterprise A. The enterprise
requires that HTTP services transmitted between Site4 and Hub1 and Hub2 sites
(using TCP port 8080) be preferentially transmitted.

SD-WAN
Solution Design
QoS queue priorities are configured at Site4, Hub1 and Hub2sites, and high-
priority queues are configured to ensure that HTTP services are preferentially
forwarded.
Data Plan

Item Value
Traffic classifier name test_traffic_http
Operator And
L3 ACL Priority 1
Source IP Address -
Destination IP -
Address
DSCP -
Protocol TCP
Source Port -
Destination Port 8080

SD-WAN
Table 1-111 QoS policy information

Item Value
Policy name test_traffic_QoS
Traffic Classifier test_traffic_http

Template
Policy Priority 1
Queue Priority Highest

Priority Level
Guaranteed Value: 3 Mbit/s

bandwidth
Site Site4, Hub1, Hub2
Procedure
template.
Step 4 Configure a QoS policy for the overlay network.

2. Click QoS. On the QoS tab page, click Create and configure QoS policy.

SD-WAN
3. Bind the sites to the policy.
a. On the QoS tab page, click in the Operation column of the policy. In
the Attach Sites dialog box that is displayed, select a site to be bound to
the policy and then click OK.

SD-WAN
b. Select the policy to be submitted, click Commit, and select Commit

Selected.
c. In the Commit dialog box that is displayed, set Effective time to
----End
1.12 Configuring an ACL Policy (Overlay Network)
1.12.1 Forbidding Access to YouTube During Working Hours

Related Products
AR: V300R019C10SPC300
Figure 1-23 shows the SD-WAN networking of an enterprise. Employees need to
be denied access to YouTube during working hours from 09:00 to 17:00.
Solution Design
Configure an ACL policy on the overlay network to meet the enterprise
requirements: Configure a traffic classifier template to identify the YouTube
service, configure the effective time template to specify the working time, and
associate the ACL policy with the site that forbids employees to access the
YouTube service.

SD-WAN
Data Plan

Item Value
Name App_Group_Youtube
Description -
SA Pre-defined YouTube_Downloader
Applications Youtube

Item Value
Traffic classifier name test_traffic_YouTube
Operator And
Application App_Group_Youtube
Table 1-114 Effective time template information

Item Value
Template name WorkingTime
Time type Weekly
Every Week Monday to Friday
Start time 09:00:00
End time 17:00:00
Table 1-115 ACL policy information

Item Value
Policy name test_traffic_ACL
Traffic classifier template test_traffic_YouTube
Policy priority 1
Interface LAN

SD-WAN
Item Value
Traffic filter Deny
Traffic direction Inbound
Effective time template WorkingTime
Select Site Hub1, Hub2, Site2, Site3, Site4
Procedure
Step 3 Enable SAC.

Configuration.


SD-WAN

click Create.
3. Enter information about the application group. In the SA area, click Add
Predefined Applications and select an application.
4. Click OK on the Application Group page.

template.

SD-WAN
Step 6 Configure an effective time template.

2. Click Validity Period Template, and click Create.
3. Configure the effective time.
Step 7 Configure an ACL policy on the overlay network.

2. On the Overlay page, select the VN to which the sites to be configured
belong.
3. Click ACL. In the dialog box that is displayed, click Create to configure an ACL
policy.

SD-WAN
4. On the ACL tab page, click in the Operation column of the policy. In the
Attach Sites dialog box that is displayed, select a site to be bound to the
policy. Click and then click OK.
Step 8 Check the ACL policy configuration.

1. Choose Maintenance > Provisioning Result.
2. Click Generate Configuration to view the configuration result. The status is
Succeeded.

SD-WAN
3. Click Site Configuration Status. In the list on the left, select a site and check
the configuration provisioning result. The status is Succeeded.
----End
1.12.2 Denying Access of Non-site Network Segments to Port

445
Related Products
AR: V300R019C11SPC200
Figure 1-24 shows the SD-WAN networking diagram of an enterprise. To meet
service requirements, the enterprise needs to open port 445 for users at the
headquarters and branches to access shared services. To ensure service security,
the enterprise needs to prevent users from accessing port 445 of external services.
Solution Design
Configure ACL policies on the overlay network to meet customer requirements:

SD-WAN
1. Apply ACL policies to the inbound direction of the LAN side of each site to
control users' access to port 445, ensuring service security.
2. Configure a rule based on 5-tuple information to identify service flows, and
configure the traffic_445_permit policy to permit service flows with source IP
addresses at each site, destination IP addresses at other sites, and destination
port number 445.
3. Configure the traffic_445_deny policy to prevent access of site users to
invalid port 445.
4. Set the priority of the traffic_445_deny policy to be lower than that of the
traffic_445_permit policy so that site users can access port 445 of other site
users and cannot access port 445 of external services.
Data Plan
Item Value
Traffic classifier name traffic_445_per traffic_445_deny

mit
Operator And And
L3 ACL Priority 1 5
Source IP 192.168.0.0/16 192.168.0.0/16

Address/
Subnet
Mask
Destination 192.168.0.0/16 -
IP Address/
Subnet
Mask
Protocol TCP TCP
Destination 445 445

Port
Table 1-117 ACL policy information
Item Value
Policy name traffic_445_p traffic_445_deny

ermit
Traffic classifier traffic_445_p traffic_445_deny

template ermit
Policy priority 10 20

SD-WAN
Item Value
Interface LAN LAN
Traffic filter Permit Deny
Traffic direction Inbound Inbound
Select Site Hub1, Site2, Hub1, Site2, Site3

Site3
Procedure

template.

SD-WAN
Step 4 Configure an ACL policy on the overlay network.

2. On the Overlay page, select the VN to which the sites to be configured
belong.
3. Click ACL. In the dialog box that is displayed, click Create to configure an ACL
policy.
4. Click OK.

SD-WAN
5. On the ACL tab page, click in the Operation column of the policy. In the
Attach Sites dialog box that is displayed, select a site to be bound to the
policy. Click and then click OK.

SD-WAN
Step 5 Check the ACL policy configuration.

1. Choose Maintenance > Provisioning Result.
2. Click Generate Configuration to view the configuration result. The status is
Succeeded.
1. Click Site Configuration Status. In the list on the left, select a site and check
the configuration provisioning result. The status is Succeeded.
----End
1.13 Configuring a Security Policy
1.13.1 Configuring a URL Filtering Security Policy for a Site
Related Products
AR: V300R019C10SPC300
Figure 1-25 shows the SD-WAN networking of Enterprise A. To ensure security of
network services at sites, intranet users must be restricted from accessing social
media and video sharing websites. Access to sina.com needs to be denied.

SD-WAN
Solution Design
Configure a URL filtering security policy at sites. Use the blacklist function to deny
access to sina.com.
Data Plan
Table 1-118 Security policy information

Item Value
Policy name test_security_policy1
Enable Policy Type Black List

URL
filter Black List *sina.com*
Site Hub1, Hub2, Site2, Site3, Site4
Procedure
Step 3 Configure a security policy.
1. Choose Policy > Security Policy > URL.
2. Select the VN to which the sites to be configured belong.
3. Click Create and set related parameters.

SD-WAN
Step 4 Bind the sites to the policy.
1. On the Security Policy page, click in the Operation column of the policy.
In the Attach Sites dialog box that is displayed, select a site to be bound to
the policy. Click and then click OK.
----End
1.14 Configuration Examples
1.14.1 Example for Building an SD-WAN Network for an

Enterprise Tenant
Related Products
AR: V300R019C10SPC300
Enterprise A has a headquarters network and multiple branch networks. A Layer 3
MPLS network is used on the WAN side. Aiming to rebuild its own networks, the

SD-WAN
enterprise submits a network construction application to a service provider (SP) to

use both a Layer 3 MPLS network and the Internet on the WAN side. To reduce
network costs, the enterprise requires that services be primarily transmitted over
the Internet. If a fault occurs on the Internet, service traffic can automatically
move to the MPLS network. Figure 1-26 shows the enterprise networking.
Solution Design
Based on the enterprise's networking and requirements, the SP recommends that
the enterprise replaces the existing traditional enterprise network with an SD-
WAN network. Network engineers of enterprise A are not able to deploy an SD-
WAN network; therefore, the SP is authorized as a managed service provider
(MSP) to complete network deployment for enterprise A. Figure 1-27 shows the
networking diagram.
In this MSP-managed O&M scenario, the configurations include:
1. The MSP creates a tenant for enterprise A and is authorized as an MSP to

maintain the network of enterprise A. The RR uses the co-deployment mode,
and the CPE at the headquarters site also functions as an RR.
2. The MSP administrator creates an edge-RR site (Hub1) and two edge sites
(Site2 and Site3) and completes the network configuration on the iMaster
NCE-WAN. Site1 does not need to be created on and managed by the iMaster
NCE-WAN because it uses the traditional network mode and does not need to
be upgraded to an SD-WAN network.
3. The MSP administrator sets the IP address of the NTP server to 10.10.1.1,
configures the edge-RR site to synchronize its clock with the NTP server, and
configures the edge sites to automatically synchronize their clocks with the
edge-RR site.
4. BGP is supported in the MPLS network on the WAN side, allowing BGP routes
to be configured on the underlay network for connecting the CPEs and the
MPLS network. To improve the security of the BGP routing protocol, MD5
authentication is enabled. Since BGP is not supported in the Internet, static
routes need to be configured to connect the CPEs to the Internet.
5. The CPEs of Hub1 communicate with the LAN-side Layer 3 switch through
VLANs, and OSPF is deployed on the LAN-side network of Hub1. The CPEs of
the edge sites communicate with the LAN-side Layer 2 network devices
through VLANs.

SD-WAN
– Users at Site2 use the CPE gateway as the DHCP relay agent to obtain IP
addresses from the DHCP server.
– The dual gateways at the branch site Site3, that is, Site3_1 and Site 3_2,
are connected to the Layer 2 network of VLAN 10, and different users are
located in the same network segment. Hosts are dual-homed to Site3_1
and Site3_2 through Layer 2 switches. The user requirements are as
follows:
▪ Hosts at Site3 use Site3_1 as the master gateway to connect to the

MPLS network. If Site3_1 fails, Site3_2 assumes the role of the
master, implementing gateway backup.
▪ Site3_1 becomes the master gateway again after it recovers.

6. The customer requires VoIP services to be preferentially forwarded over the
MPLS network and other services over the Internet, so the MSP administrator
enables centralized Internet access of the SD-WAN network through Hub1.
Communication between the SD-WAN sites and legacy sites is implemented
in centralized access mode.
7. The MSP administrator enables URL filtering in a security policy, uses the
blacklist function to deny access to sina.com.
8. The email-based deployment mode is used for site deployment. After
receiving a deployment email, the deployment engineer goes to the edge-RR
and edge sites to install and deploy the CPEs.
9. After the CPEs are deployed, they automatically obtain configurations from
the iMaster NCE-WAN.
Figure 1-27 SD-WAN networking

SD-WAN
Data Plan
Table 1-119 MSP administrator information
Item Value
User name [email protected]
Password PassA@1234
Item Value
Tenant Name TenantA
Authorize MSP ON
Password PassA@1234
Table 1-121 Email server parameters
Item Value
SMTP address smtp.mail.com
Port 25
Account testmail
Password testmail
Email [email protected]
Item Value

Network
Encryption AES256
algorithm
Life time 1440

SD-WAN
Item Value

key
Token validity 7
period (day)
User Admin
AS number 65001
Community pool 100
IP pool 10.200.0.0/16

Item Value
Template Hub Branch1 Branch2

name
Description - - -
Gateway Dual Gateways Single Single Gateway

Gateway
W Name MPL Interne MPL Internet MPL Inter MPL Internet

A S1 t1 S2 2 S net S
N
Lin Device Device1 Device2 Devi Devic Devic Device2
k ce1 e1 e1
Interfa GE3/ GE3/0/ GE3 GE3/0/1 GE0 GE0/ GE0/ GE0/0/3

ce 0/0 1 /0/0 /0/3 0/4 0/3
y
tunnel
Transp MPL Interne MPL Internet MPL Inter MPL Internet

ort S t S S net S
Netwo
rk
Role Activ Active Acti Active Acti Activ Activ Active

e ve ve e e

SD-WAN
Item Value
Int Reuse OFF - - OFF

er- LAN-
CP side L2
E interfa
Lin ce
k
VLAN 4000 - 4008 - - 4000 - 4008
ID
Device GE3/0/2 GE3/0/3 - - GE0/ GE0/0/2

1 0/1
Interfa
ce
Device GE3/0/2 GE3/0/3 - - G00/ GE0/0/2

2 0/1
Interfa
ce
Table 1-124 Email template information

Item Value
Email Template Implementer
Subject How to install a Huawei NCE-WAN

router
Content To install Huawei NCE-WAN routers,

perform the following steps:
Default Template OFF

21021156411234500011 Hub1_1 AR6280
21021156411234500012 Hub1_2 AR6280
2102351UGG10J7000011 Site2_1 AR651U-A4
2102351UGG10J7000012 Site3_1 AR651U-A4
2102351UGG10J7000013 Site3_2 AR651U-A4

SD-WAN

Item Value
RR ON OFF OFF
Conn - Hub1 Hub1

ect to
RR
Gate Dual Gateways Single Gateway Single Gateway

way
Site Hub Branch1 Branch2

temp
late
Devic Hub1_1 Hub1_2 Site2_1 Site3_1 Site3_2

e
Link MPL Inter MPL Intern MPLS Internet MPLS Internet

name S1 net1 S2 et2
VN unde unde und underl underl underlay underlay_1 underla

insta rlay_ rlay_ erla ay_2 ay_1 _2 y_2
nce 1 2 y_1
Interf IPoE IPoE IPoE IPoE IPoE PPPoE IPoE IPoE

ace
proto
col
IP Stati Stati Stat Static Static - Static Static

addre c c ic
ss
acces
s
mode
IP 172.1 10.1 172. 10.100 172.16 - 172.16.4.1/ 10.100.

addre 6.1.1 00.1. 16.2 .2.1/30 .3.1/30 30 4.1/30
ss/ /30 1/30 .
Subn 1/3
et 0
mask
Defa 172.1 10.1 172. 10.100 172.16 - 172.16.4.2 10.100.

ult 6.1.2 00.1. 16.2 .2.2 .3.2 4.2
gate 2 .2
way
PPPo - - - - - user@w - -
E eb.com
User
name

SD-WAN
Item Value
PPPo - - - - - Pass123 - -
E 4
Pass
word
Auth - - - - - CHAP - -
Type
Publi 172.1 10.1 172. 10.100 - - - -

c IP 6.1.1 00.1. 16.2 .2.1
1 .1
Nego Auto Auto Aut Auto Auto Auto Auto Auto

tiatio o
n
mode
NAT - - - - OFF OFF OFF OFF

STUN
Uplin 100 100 100 100 100 100 100 100

k
band
width
(Mbp
s)
Dow 100 100 100 100 100 100 100 100

nlink
band
width
(Mbp
s)
base
d
deplo
ymen
t

Item Value
password

SD-WAN
Item Value
WAN Link MPLS1 Internet MPLS2 Internet2

1
NTP Server Address 10.10.1.1 10.10.1.1 10.10.1.1 10.10.1.1

Item Value
Table 1-129 Email-based deployment information

Item Value
Email testadmin@163 [email protected] [email protected]

addres .com m
s
Email Implementer
Templ
ate
Table 1-130 BGP route information about the underlay networks

Item Value
Advanced Default route ON OFF OFF

Settings redistribution
Device Hub1_1 Hub1_2 Site2_1 Site3_1

SD-WAN
Item Value
Peer IP 172.16.1.2 172.16.2.2 172.16. 172.16.

3.2 4.2
Peer AS 100 100 100 100
Local AS 101 102 104 105
Keepalive time (s) 60 60 60 60
Hold time (s) 180 180 180 180
MD5 encrypt admin123 admin123 admin admin1

123 23
WAN link MPLS1 MPLS2 MPLS MPLS
Routing Export OFF OFF OFF OFF

Policy
Import OFF OFF OFF OFF
Table 1-131 Static route information about the underlay networks

Ite Value
m
Dev Hub1_1 Hub1_ Hub1 Hub1_2 Site2_ Site2_1 Site3_ Site3_2

ice 1 _2 1 2
Prio 60 60 60 60 60 60 60 60
rity
WA Interne Interne Intern Internet Intern Interne Intern Internet

N t t et et t et
link
Des 0.0.0.0/ 10.110. 0.0.0. 10.110. 0.0.0.0 10.110. 0.0.0.0 10.110.4

tina 0 42.160/ 0/0 42.160/ /0 42.160 /0 2.160/3
tion 32 32 /32 2
add
ress
/
ma
sk
Nex IP IP IP IP Outbo Outbo IP IP

t- address address addre address und und addre address
hop ss interfa interfa ss
typ ce ce
e

SD-WAN
Ite Value
m
IP 10.100. 10.100. 10.10 10.100. - - 10.10 10.100.4

add 1.2 1.2 0.2.2 2.2 0.4.2 .2
ress
Trac ON OFF ON OFF ON OFF ON OFF

k
Tar 10.110. - 10.11 - 10.110 - 10.11 -

get 42.160 0.42.1 . 0.42.1
60 42.160 60

Item Value
VN VPN1
IPSec Encryption ON
Site Name Hub1, Site2, Site3
Topology mode Full-mesh
Redirect sites Hub1
Table 1-133 Site VLAN information about the overlay network

Item Value
Device Hub1_1 Hub1_2 Site2_1 Site3_1 Site3_2
VLAN ID 10 10 10 102 10 10
Physical GE8/0/2 GE8/0/2 GE0/0/ GE0/0/ GE0/0/5 GE0/0/5

interfaces 5 6
Mode Untag Untag Untag Tag Untag Untag
IP address 10.1.1.1/2 10.1.1.2/2 10.3.1. 10.102. 10.5.1.252 10.5.1.253

4 4 254/2 1.1/24/ /24 /24
4
Trust Trust Trust Trust Trust Trust Trust

mode
DHCP - - DHCP - - -
type Relay

SD-WAN
Item Value
DHCP - - 10.102 - - -
Server IP .1.50
VRRP - - - - ON ON
VRRP ID - - - - 10 10
Virtual IP - - - - 10.5.1.254 10.5.1.254
Default - - - - Master Backup

role
Preempt - - - - 20 0
delay (s)

Item Value
Process ID 1001 1001
WAN link Default route ON ON

Common advertisement
Parameter Default route cost 1 1
Internal 10 10
preference
ASE preference 150 150
Interface Area ID 0 0
Parameter
Interface Name Vlanif10 Vlanif10
Authentication None None

Mode
Hello Timer 10 10
DR Priority 0 0
Route Redistribute Protocol - -
Process ID - -
Cost - -
Router Filter Export filter OFF OFF
Import filter OFF OFF

SD-WAN

Item Value
Name test_app_group_VoIP
Predefined Applications VoIP

Item Value
Traffic classifier name test_traffic_VoIP test_traffic_service
Operator And And
L3 ACL - Priority: 1
Application test_app_group_ -
VoIP
Item Value
Policy name test_traffic_poli test_traffic_policy_service

cy_VoIP
Traffic Classifier Template test_traffic_VoI test_traffic_service

P

Condition
Jitter (ms) 30 40
Packet loss 10 50
rate (‰)
Transport Primary ● Transport ● Transport Network:

Network Transport Network: Internet; Priority: 1
Priority Network MPLS; ● Transport Network: MPLS;
Priority: 1 Priority: 2
● Transport
Network:
Internet;
Priority: 2

SD-WAN
Item Value
Secondary - -
Transport
Network

and Site3
Item Value
Centralize Area ALL

d Internet
access Active Internet GW Hub1
Item Value
Access mode Centralized access
Site Hub1
Link Priority MPLS: 1
IGW ON
Role Active
Table 1-140 URL filter policy information
Item Value
Policy name test_security_policy1
Enable Policy Type Black List

URL
filter Black List *sina.com*
Site Hub1, Hub2, Site2, Site3, Site4
Procedure
Step 1 Log in to the iMaster NCE-WAN as an MSP administrator.
Step 2 Create a tenant and a tenant administrator.

SD-WAN
1. Click Tenant Management > Dashboard.

2. Click Create under Tenants List. In the displayed dialog box, enter tenant
information and administrator information.

SD-WAN
3. Under Tenants List, check the created tenant administrator account.
Step 3 Configure an email server.

1. Choose Administration > Email Server to access the Email Server page.
2. Configure parameters for interworking with the email server.

SD-WAN
3. Click Test to test email sending. If the system displays the message indicating
that the test is successful and the test email can be received, the
configuration is successful. Click Save to complete the configuration.
Step 4 Access the tenant managed service view.

1. Click Dashboard.
2. In Tenants List, select the tenant that requires maintenance and click the
tenant name to access the tenant managed service view.


SD-WAN


SD-WAN
7. Click Apply.

SD-WAN
12. Click Apply.
2. Enter template information and click OK.

SD-WAN
Step 7 Add devices in a batch based on the ESN.

displayed.
OK.

4. Under Add Device, select the devices added in the above.
5. Click OK.
● Edge-RR site
● Edge sites

SD-WAN
Step 9 Create an email template.

1. Choose Design > Network Template > Email Template.
2. On the Email Template page that is displayed, click Create. Enter the
template information.

SD-WAN
Step 10 Complete the ZTP configuration for the sites and send a deployment email.
1. Configure the WAN links for the edge-RR site.
b. In the site list on the left, click a created site. Choose the WAN link
template, and the WAN Link page displays link information.
c. Click in the Operation column in the right pane.

d. In the Set WAN Link dialog box that is displayed, set WAN link
parameters.
e. Click Apply.

SD-WAN

SD-WAN

SD-WAN

SD-WAN
2. Complete the NTP configuration for the edge-RR site.

a. Click NTP.
b. On the NTP page that is displayed, select a time zone. Enter NTP
information and click Apply.

SD-WAN

Perform the same operations as those for the edge-RR site to complete WAN
link parameter configuration for the edge sites and click Apply.

SD-WAN

SD-WAN

SD-WAN

SD-WAN
4. Complete the NTP configuration for the edge sites.

c. Click Apply.

SD-WAN
5. After completing the ZTP configuration, click Send Email.

a. In the displayed Send Email dialog box, select the site to deploy.
b. Enter the recipient email address and CC email address, select the created
email template, modify the email content, and click OK.

site you want to connect.
3. When Distribution Quantity is Successful, click OK.

SD-WAN
Step 12 Configure BGP routes for the underlay network of the hub site.
1. Choose Provision > Site Configuration.
2. Select Hub1 from the left list and click WAN Route.
Protocol and select BGP.
4. On the BGP page, click Advanced Settings, and enable Default route
redistribution.

SD-WAN
5. On the BGP page, click Create and set BGP route parameters, click Apply.

SD-WAN
6. On the WAN Route page that is displayed, click and select IPv4 Static.
Click Create and set static route parameters. On the main page, click Apply.

SD-WAN

SD-WAN
Step 13 Configure BGP routes for the underlay networks of the branch sites.
1. Perform the same operations as those for the edge-RR site to complete BGP
route parameter configuration for Site2 and click Apply.

SD-WAN
3. Select Site3 from the left list and perform the same operations as those for
Site2 to complete the BGP route configuration for Site3, and click Apply.

SD-WAN

SD-WAN

1. Create a VN.
d. Click Apply.

d. Click Apply.

SD-WAN
3. Configure VLAN information about the edge-RR site.

a. Choose Provision > Overlay Network > Overlay Service.
b. .
c. On the Overlay Service page, select the VN to be configured, expand the
site template list on the left, click Hub1, and click the VLAN tab in the
right pane.
d. Click Create and set related parameters, click Apply.
▪ VLAN configurations for Hub1_1
▪ VLAN configurations for Hub1_2

SD-WAN
4. Configure a VLAN for Site2.

b. On the Overlay Service page, select the VN to be configured, expand the
site template list on the left, click Site2, and click the VLAN tab in the
right pane.
c. Click Create and enter VLAN information. On the main page, click Apply.

SD-WAN

SD-WAN
5. Configure a VLAN for Site3.

b. On the Overlay Service page, select a VN. Select Site3_1 from the list on
the left and click the VLAN tab in the right pane.
c. Click Create to configure VLAN parameters.
d. On the Create VLAN page, click Advanced Settings to configure the
VRRP master and backup gateways.
e. After configuring the VLAN and VRRP, click Apply.
▪ VLAN configuration for Site3_1

SD-WAN
▪ VLAN configuration for Site3_2

SD-WAN
Step 15 Configure LAN-side OSPF routes for Hub1.

2. Select Hub1 and click LAN Route in the right pane.
3. Click Click Here to Add Routing Protocol and select OSPF.
4. In the displayed OSPF dialog box, click Create to configure OSPF routes and
click Apply on the main page.

SD-WAN

SD-WAN
Step 16 Enable SAC.


Configuration.


SD-WAN

click Create.
3. Enter the application group information and select the predefined application
VoIP.

SD-WAN

2. Click Traffic Classifier Template and click Create to create a traffic classifier
template.
3. Configure a traffic classifier template.

SD-WAN
2. On the Overlay page, select a VN and click Traffic Steering.
3. On the Traffic Steering tab page, click Create and configure intelligent traffic
steering policies.

SD-WAN
4. On the Traffic Steering tab page, click in the Operation column of the
policy. In the Attach Sites dialog box that is displayed, select a site to be
bound to the policy. Click and then click OK.

2. On the Overlay page, select a VN and click Site-to-Internet to access the
Site-to-Internet page.
a. Enable Centralized Internet access and click Create.
b. Set Area and Active Internet GW, click in the Operation column.
c. Click OK.

SD-WAN
4. Click Apply.
Step 21 Configure a mutual-access policy for the overlay network of the legacy site.
2. On the Overlay page, select a VN and click Site-to-Legacy Site to access the
Site-to-Legacy Site page.
3. Configure centralized access.
a. Enable Centralized access and click Create. In the displayed dialog box,
select the hub site.
b. Click IGW to enable the gateway function for communication between

SD-WAN sites and legacy sites.
c. Click in the Operation column to activate the egress link and

configure the link priority, click Apply Changes.

SD-WAN
Step 22 Configure security policies.

1. Choose Policy > Security Policy > URL.
2. Select the VN to which the sites to be configured belong.
3. Click Create and set related parameters.
4. On the Security Policy page, click in the Operation column of the policy.
In the Attach Sites dialog box that is displayed, select a site to be bound to
the policy, click and then click OK.

SD-WAN

Step 23 Install the CPEs at the sites based on the site networking requirements and
connect the WAN ports of the CPEs to the WAN.
Step 24 Deploy the CPEs at the sites using email-based deployment.
1. Power on the CPEs.
2. Wait for a moment until the SYS indicator on the CPEs is blinking green
slowly, indicating that the CPEs have started successfully.
3. Perform email-based deployment according to section 2.2 Email-based
Deployment.
Step 25 After the deployment is successful, enable all CPEs to register with the iMaster
NCE-WAN again to obtain the configurations of the new branch sites.
----End

SD-WAN
Typical Deployment Examples 2 Site Deployment
2 Site Deployment
2.1 USB-based Deployment

2.2 Email-based Deployment
2.3 DHCP Option-based Deployment
2.1 USB-based Deployment

Related Products
AR: V300R019C10SPC300
An enterprise wants to deploy several branch sites, as shown in Figure 2-1.
Information about CPEs that serve as gateways of the sites is ready. It is time-
consuming and labor-intensive if software engineers go to the sites to deploy the
CPEs site by site. The enterprise requires a method to quickly deploy the sites in a
batch through easy operations without requiring high software commissioning
skills.

SD-WAN
Solution Design
If multiple CPEs need to be deployed and the CPE model and ESN information are
available, you can deploy the CPEs in a batch using USB-based deployment at a
location where most CPEs are located, and then assign the CPEs to the sites for
installation and deployment. The following example describes how to use USB-
based deployment to deploy Site2.
1. The tenant administrator creates Site2, on the iMaster NCE-WAN, completes

the ZTP configuration for Site2, and downloads the ZTP file.
2. The tenant administrator uses the IniConverter.exe tool to convert the ZTP
file into a configuration file suffixed with .ini, creates the index file
USB_AR.ini, and sends the configuration file and index file to the deployment
engineer. To obtain the IniConverter.exe tool, contact Huawei engineers.
3. The deployment engineer saves the received configuration file and index file
to the root directory of the USB flash drive and starts the CPEs for USB-based
deployment.
Data Plan
Item Value

SD-WAN
Table 2-2 Site template for new sites

Item Value
Template name Site2
Description -
Gateway Single Gateway
WAN Link Name Internet
Device Device1
Interface GE0/0/3
Overlay tunnel ON
Transport Internet
Network
Role Active
Table 2-3 Basic device information

2102351UGG10J700001 Site2_1 AR651U-A4

5
Table 2-4 ZTP configuration for new branch sites

Item Value
Site Site2
RR OFF
Gateway Single gateway
Site Site2
template
Device Site2_1
Link name Internet
VN instance underlay_1
Interface IPoE
protocol

SD-WAN
Item Value
IP address Static
access mode
IP address/ 10.100.12.1/30
Subnet
mask
Default 10.100.12.2
gateway
Negotiation Auto
mode
NAT STUN ON
Uplink 100
bandwidth
(Mbps)
Downlink 100
bandwidth
(Mbps)
URL-based ON
deployment
Item Value
Procedure
Step 1 Create branch sites and complete the ZTP configuration on the iMaster NCE-WAN
as a tenant administrator.
1. Log in to the iMaster NCE-WAN as a tenant administrator.
2. Choose Design > Network Settings and set global network parameters.
3. If no required site template is available in the system, create a site template
which is used to configure site WAN links.
a. Choose Design > Network Template. On the Network Template page
that is displayed, click Create.
b. Enter the template information.

SD-WAN
4. Add devices on their ESNs and use them as the CPE gateways for the new
site.
a. Choose Design > Devices Management. The Device Management page
is displayed.
b. Click Add Device and set Addition method to Manual Creation.
c. Set Mode to ESN, and click Add.
d. On the page that is displayed, set ESN, Device Name, and click OK.
5. Create a new site.

a. Choose Design > Site Design, and click Create.
b. Enter the site information, and under Add Device, select the devices
added in the above.
c. Click Apply.
6. Complete the ZTP configuration for the new site and download the ZTP file.
a. Configure the WAN links.
i. Choose Provision > ZTP Configuration. The ZTP Configuration
page is displayed.
ii. In the site list on the left, click Site2. Choose the WAN link template,
iii. Click in the Operation column in the right pane. In the displayed
dialog box, set WAN link parameters and then click Apply on the
main page.

SD-WAN
b. Complete the NTP configuration.

Select the time zone used by the old site, and click Apply.

SD-WAN
c. After completing the ZTP configuration, click Download ZTP File and
save the file as a ZTP_xxx.csv file.
Step 2 Make a configuration file and an index file as a tenant administrator.
1. Drag the downloaded ZTP_xxx.csv file to the IniConverter.exe tool.
2. Set Password to the value of URL encryption key, which has been set on the
Global Parameters page.
3. Click Generate ini file, and save the configuration file as ZTP.ini.
4. Create a text file named USB_AR.ini and edit the index file.
During USB-based deployment, the device where the USB flash drive is
installed matches the ESN field of CONFIG in the index file. If a match is
found, the configuration file in the USB flash drive is copied.
BEGIN AR
[USB CONFIG]
SN=20180408.070632
EMS_ONLINE_STATE=NO
[UPGRADE INFO]
OPTION=AUTO
DEVICENUM=1
[DEVICE1 DESCRIPTION]
OPTION=OK
ESN=DEFAULT
MAC=DEFAULT
VERSION=DEFAULT
DIRECTORY=DEFAULT
FILENUM=1
TYPE1=SYSTEM-CONFIG
FILENAME1=ZTP.ini
END AR
Step 3 Perform USB-based deployment as a deployment engineer.

1. Save the received configuration file and index file to the root directory of the
USB flash drive.
2. Power on the CPEs. After the CPEs are started successfully, retain their factory
settings.
3. Insert the prepared USB flash drive to the USB port on a CPE. The CPE
automatically starts the USB-based deployment process.
During the deployment, a CPE obtains the configuration file from the USB
flash drive based on the description in the index file and saves it to the
default storage medium. The CPE then determines whether its ESN is the
same as that in the index file. If so, it saves the configuration to the
configuration file for next startup. If not, this CPE does not replace its
configuration file.
4. Observe the USB indicator on the device to determine the progress of USB-
based deployment. After USB-based deployment is successful, remove the
USB flash drive. The USB-based deployment ends.
– If the indicator is steady green, USB-based deployment is successful.
– If the indicator is blinking green, USB-based deployment is ongoing.
– If the indicator is steady red, USB-based deployment fails.
Step 4 Verify the deployment result.
● The tenant administrator checks whether the CPE status is Normal on the
iMaster NCE-WAN.

SD-WAN
Choose Design > Device Management. On the Device page that is displayed,
find the target CPE. If Status displays Normal, the CPE has been deployed
successfully and registered with the iMaster NCE-WAN.
● If an AR600, AR1600, or AR6000 series router is deployed as a CPE, check the
CTRL indicator status on the AR. If the indicator is steady on, the AR has been
successfully deployed and registered with the iMaster NCE-WAN.
----End
Precautions
● During USB-based deployment, the SN in the index file used to deploy a CPE
must be different from the default USB-based deployment flag of the CPE.
The SN in an index file is a unique flag for USB-based deployment. A device
has a default USB-based deployment flag. If there is the USB_AR.ini file in the
USB flash drive, the device checks whether the default USB-based deployment
flag and the SN in the USB_AR.ini file are the same. If they are the same, the
device does not start USB-based deployment. If they are different, the device
starts USB-based deployment and starts with the deployment files specified in
the USB flash drive. If the deployment succeeds, the default USB-based
deployment flag on the device is changed to the SN in the USB_AR.ini file.
2.2 Email-based Deployment

Related Products
AR: V300R019C10SPC300
An enterprise wants to add a site, Site2, deploy a CPE as the gateway, and connect
Site2 to the WAN through an Internet link, as shown in Figure 2-2. No
professional software commissioning engineer is available at Site2. The hardware
installation test engineer needs to complete the CPE deployment after installing
the CPE.

SD-WAN
Solution Design
Hardware installation test engineers usually have limited skills in commissioning
router software. However, they have a basic understanding of the operations, for
example, connecting terminals such as mobile phones, tablets, and laptops to the
network and browsing web pages. Therefore, they can deploy the CPE at Site2
using email-based deployment in the following ways:
1. The tenant administrator creates Site2 on the iMaster NCE-WAN, completes

the ZTP configuration for Site2, and sends a deployment email to the
specified email address.
2. The hardware installation test engineer confirms that the mobile phone,
tablet, or laptop that is used as the deployment terminal receives the
deployment email.
3. After installing the CPE at the site, the hardware installation test engineer
connects the deployment terminal to the CPE in wired or wireless mode and
starts the deployment process by accessing the URL in the deployment email.
The CPE is automatically deployed after receiving the URL access request.
Data Plan
Item Value

SD-WAN
Item Value

Item Value
Template name Site2
Description -
Device Device1
Interface GE0/0/3
Overlay tunnel ON
Transport Internet
Network
Role Active
Table 2-8 Email template information

Item Value
Email Template Implementer
Subject How to install a Huawei NCE-WAN

router
Content To install Huawei NCE-WAN routers,

perform the following steps:
Default Template OFF
Table 2-9 Email-based deployment information

Item Value
Email testadmin@163 [email protected] [email protected]

addres .com m
s

SD-WAN
Item Value
Email Implementer
Templ
ate
Table 2-10 ZTP configuration for new sites

Item Value
Site Site2
RR OFF
Device Site2_1
Connect to Hub1
RR
WAN link Site2

Template
Link name Internet
Interface IPoE
protocol
IP address Static
access mode
IP address/ 10.100.12.1/24
Subnet
mask
Default 10.100.12.254
gateway
Negotiation Auto
mode
Uplink 100
bandwidth
(Mbps)
Downlink 100
bandwidth
(Mbps)

SD-WAN
Procedure
Step 1 Create a branch site, complete the ZTP configuration, and send a deployment
email on the iMaster NCE-WAN as a tenant administrator.
1. Log in to the iMaster NCE-WAN as a tenant administrator.
2. Choose Design > Network Settings and set global network parameters.
3. If no required site template is available in the system, create a site template
which is used to configure site WAN links.
a. Choose Design > Network Template. On the Site Template page that is
b. Enter the template information.
4. Create an email template.

a. Choose Design > Network Template > Email Template.
b. On the Email Template page that is displayed, click Create. Enter the
template information.
5. Add devices on the device models and use them as the CPE gateways for the
new site.
a. Choose Design > Devices Management. The Device Management page
is displayed.
b. Click Add Device and set Addition method to Manually Creation.
c. Set Mode to Device Model, and click Add.
d. On the page that is displayed, set Type, Device Model, and Quantity,
and click OK.
e. Click Edit, change the value of Device Name, and click Submit.

SD-WAN
f. Click OK.
6. Create a new site.

a. Choose Design > Site Design.
b. On the Site page that is displayed, click Create.
c. Enter the site information.
d. Under Add Device, select the devices added in the previous step.
e. Click Apply.
7. Complete the ZTP configuration for the new site and send a deployment
email.
a. Configure the WAN links.
i. Choose Provision > ZTP. The ZTP Configuration page is displayed.
ii. In the site list on the left, click Site2. Choose the WAN link template,
iii. Click in the Operation column in the right pane.

iv. In the Set WAN Link dialog box that is displayed, set WAN link
parameters.
v. Click Apply.

SD-WAN
b. Complete the NTP configuration.

On the NTP page that is displayed, select a time zone for the devices.
Enter NTP information and click Apply.

SD-WAN
c. After completing the ZTP configuration, click Send Email.

i. In the displayed Send Email dialog box, select the site to deploy and
click .
ii. Enter the recipient email address and CC email address, select the
created email template, modify the email content, and click OK.
Step 2 Perform email-based deployment as a deployment engineer.

1. Check the deployment email.
2. Install a CPE onsite and connect the deployment terminal that receives the
email to the CPE.
a. Install the CPE, connect cables, and power on the CPE.
b. Connect the deployment terminal to the CPE.
● Wireless access
In the device's factory settings, the deployment Wi-Fi network SSID is a
character string that consists of PnP_ and the last six digits of the device's
ESN, in the PnP_xxxxxx format. The deployment Wi-Fi password is a character
string that consists of AR and the last six digits of the network SSID, in the
ARxxxxxx format.
The deployment engineer uses a deployment terminal to search for the
deployment Wi-Fi network SSID and enters the deployment Wi-Fi password to
access the device. When the deployment terminal has been connected to the
specified deployment Wi-Fi network and obtained an IP address, this
deployment terminal has been connected to the device.

SD-WAN
Only the devices with the default WLAN mode as the AP mode support
wireless access of deployment terminals.
1. Wired access (the following example uses a PC with Windows 7 installed).
a. Use an Ethernet cable to connect the PC to the management interface of
the CPE.
The CPE's management interface is often marked with the Management
or MGMT silkscreen. Management interfaces of some device models do
not have this silkscreen. You can check the position of the management
interface by referring to the product documentation.
b. Configure the PC to obtain an IP address dynamically.

In factory settings, the IP address of the management interface is
192.168.1.1, the subnet mask is 255.255.255.0, and the DHCP server
function is enabled so that the PC can automatically obtain an IP address
through DHCP. If the PC can ping the IP address of the management
interface, the PC has successfully connected to the CPE.

SD-WAN
2. Perform email-based deployment.
NOTE
If two gateways are deployed at a site, disconnect the cable between them before
deployment, and then reconnect it after deployment. If the cable is not disconnected,
deployment may fail.
1. On the deployment terminal, open the deployment email, click the URL in the
email or copy the URL to the browser's address bar to execute it. The
deployment Portal page is then displayed in the browser.
2. On the page that is displayed, enter the password and click GO. The system
uses the password to decrypt the encrypted URL.

SD-WAN
NOTE
The entered password must be the same as the value of URL encryption key specified
in set global network param....
3. Click Check Parameters to check the automatically parsed parameters and
click Confirm Deployment to start the deployment process.

SD-WAN
4. After the CPE completes deployment and registers with the iMaster NCE-
WAN, the following page is displayed on the deployment terminal, indicating
that the deployment is successful.

● Check whether the CPE status is Normal on the iMaster NCE-WAN as a
tenant administrator.
Choose Design > Device Management. On the Device page that is displayed,
find the target CPE. If Status displays Normal, the AR has successfully
registered with the iMaster NCE-WAN and gone online.
CTRL indicator status on the AR. If the indicator is steady on, the AR has
successfully registered with the iMaster NCE-WAN.
----End
2.3 DHCP Option-based Deployment

Related Products

SD-WAN

AR: V300R019C10SPC300
Table 2-11 Interfaces on AR routers to connect to the DHCP server

Series Device Model Interface Connected to the DHCP
Server
AR120 AR129CVW GE0/0/4
AR129CGVW-L
AR160 AR161EW GE0/0/4
AR169EW
AR169EGW-L
AR1200 AR1220E GE0/0/8, GE0/0/9
AR2200 AR2220E GE0/0/0, GE0/0/1, GE0/0/2
AR1600 AR1610-X6 GE0/0/8, GE0/0/9

(uCPE)
AR610 AR611W GE0/0/4
AR611W-LTE4CN
AR617VW
AR617VW-LTE4EA
AR650 AR651-X8 GE0/0/4, GE0/0/5

(uCPE)
AR651W-X4 GE0/0/4, GE0/0/5
AR650 AR651U-A4 GE0/0/8, GE0/0/9
AR651F-Lite GE0/0/6, GE0/0/7, GE0/0/10, GE0/0/11
AR651C GE0/0/8, GE0/0/9, GE0/0/10, GE0/0/11
AR651, AR651-LTE6EA GE0/0/8, GE0/0/9
AR651W GE0/0/8, GE0/0/9
AR657 GE0/0/8, GE0/0/9
AR657W GE0/0/8, GE0/0/9
AR6120 AR6120 GE0/0/8, GE0/0/9, 10GE interface
AR6120-VW
AR6120-S AR6120-S GE0/0/8, GE0/0/9, 10GE interface
AR6140 AR6140-9G-2AC GE0/0/2, GE0/0/3, GE0/0/6, GE0/0/7

SD-WAN
Series Device Model Interface Connected to the DHCP

Server
AR6140-16G4XG GE0/0/12, GE0/0/13, GE0/0/14,

GE0/0/15, 10GE interface
AR6140-S AR6140-S GE0/0/2, GE0/0/3, GE0/0/6, GE0/0/7
AR6280/ SRU-100H GE0/0/1, GE0/0/2, GE0/0/3, GE0/0/4,

AR6300 10GE interface
SRU-200H GE0/0/1, GE0/0/2, GE0/0/3, GE0/0/4,

10GE interface
SRU-400H GE0/0/0, GE0/0/9, 10GE interface
SRU-600H GE0/0/0, GE0/0/9, 10GE interface
AR6300-S SRU-400H GE0/0/0, GE0/0/9, 10GE interface
Carrier A provides SD-WAN services for enterprise customers and is responsible for
deploying SD-WAN sites. With the growth in service volume, the deployment of
SD-WAN sites consumes more technical and manpower resources. To reduce costs,
carrier A wants CPEs to be automatically deployed upon cable connection after
the CPEs are installed, without any other manual configuration. Figure 2-3 shows
the networking, on which Site2 is a new site and has no dedicated software
commissioning engineers available. After hardware installation engineers install a
CPE at Site2, they need to deploy the CPE onsite.

SD-WAN
Solution Design
In the carrier resale scenario, an enterprise customer wants to build its SD-WAN
network based on carrier A's WAN network. To implement this, DHCP-based
deployment can be used. The DHCP-based deployment process is described as
follows:
1. Carrier A deploys a DHCP server on the WAN and configures the DHCP server.
The major configuration items are as follows:
● Pool of IP addresses that can be assigned to DHCP clients
● Gateway address for DHCP clients
● Field Option 148:
agilemode=tradition;agilemanage-mode=ip;agilemanage-
domain=x.x.x.x;agilemanage-port=10020;
Table 2-12 Fields of Option

Field Description Value Configuration
Example
agilemode Agile mode. The value If the southbound

tradition IP address of
indicates the iMaster NCE-
traditional WAN is 10.1.1.1
mode. and the port
number is 10020,
agilemanag Whether the Currently, this the value of
e-mode agilemanage- field can be set Option 148 is as
domain field is set to only to an IP follows:
an IP address or a address. agilemode=traditi
domain. on;agilemanage-
mode=ip;agilema
nage-
domain=10.1.1.1;a
gilemanage-
port=10020;

SD-WAN
Field Description Value Configuration

Example
agilemanag Southbound IP ● In the

e-domain address of iMaster DHCPv4
NCE-WAN. The CPE server
initiates registration configuration
to iMaster NCE-WAN , the value of
through this IP this field is
address. an IP address
in the format
of x.x.x.x.
● In the
DHCPv6
server
configuration
, the value of
this field is a
128-bit IPv6
address in
the format of
XXXX:XXXX:X
XXX:XXXX:XX
XX:XXXX:XXX
X:XXXX. It
can also be
abbreviated.
The first 0 in
each
segment can
be omitted. If
consecutive
0s are
present,
these 0s can
be replaced
by "::". "::"
can be used
only once.
agilemanag Port number used for The value of this

e-port registration with field is 10020.
iMaster NCE-WAN.
To ensure that the CPE Site2_1 (functioning as a DHCP client) at the SD-WAN
site can communicate with the DHCP server. In this case, the DHCP server and
the gateway are deployed in the carrier's intranet and communicate with each
other through a Layer 3 network. The gateway is configured the DHCP relay
function. After Site2_1 connects to the gateway, it can send a DHCP request
to the DHCP server to obtain an IP address.

SD-WAN
2. When configuring Site2 on iMaster NCE-WAN, the tenant administrator

selects the DHCP-based deployment mode.
3. A hardware installation engineer installs the CPE onsite, correctly connects the
network cable on the WAN side to the WAN port of the CPE, and powers on
the CPE. Then, the engineer checks the startup status and deployment status
by observing the indicators on the panel of the CPE. If the indicators are
normal, the CPE is successfully deployed.
Data Plan
Table 2-13 Key configuration items of the DHCP server

Item Value Description
Egress 10.100.12.254/24 Egress gateway address for DHCP

gateway clients.
address
Network 10.100.12.1/24 to Network segment of IP addresses

segment 10.100.12.253/24 that can be allocated to DHCP
of clients.
allocable
IP
addresses
Excluded 10.100.12.1/24 to Range of IP addresses that cannot be

IP 10.100.12.128/24 automatically allocated to clients
addresses among the allocable IP addresses.
Option agilemode=tradition;agilem Message used by a DHCP client to

148 anage- register with iMaster NCE-WAN.
mode=ip;agilemanage- agilemanage-domain: IP address of
domain=10.1.1.10;agileman iMaster NCE-WAN to be registered
age-port=10020; with.
agilemanage-port: port number of
iMaster NCE-WAN to be registered
with.
Table 2-14 Basic device information

2102351UGG10J700001 Site2_1 AR651U-A4

5

SD-WAN

Item Value
Template name Site2
Description -
Device Device1
Interface GE0/0/8
Overlay tunnel ON
Transport Internet
Network
Role Active
Table 2-16 Site design and ZTP configuration for new sites
Item Value
Site Site2
RR OFF
Site Site2
template
Device Site2_1
Link name Internet
Interface IPoE
protocol
IP address Static
access mode
IP address/ 10.100.12.1/24
Subnet
mask
Default 10.100.12.254
gateway
Negotiation Auto
mode

SD-WAN
Item Value
NAT STUN ON
Uplink 100
bandwidth
(Mbps)
Downlink 100
bandwidth
(Mbps)
URL-based OFF
deployment
Procedure
Step 1 Configure the DHCP server as the network administrator of carrier A. In the
following information, AR routers (RouterA and Gateway) are used as a DHCP
server and the gateway to describe how to configure a DHCP IP address pool and
enable DHCP on an interface on the CLI:
1. Configure the DHCP server function on RouterA.
#
dhcp enable //Enable DHCP.
#
ip pool sd-wan1
gateway-list 10.100.12.254 //Configure the gateway address.
network 10.100.12.0 mask 255.255.255.0 //Configure the range of IP addresses that can be
dynamically allocated from the global IP address pool.
excluded-ip-address 10.100.12.1 10.100.12.128 //Exclude IP addresses in the range from 10.100.12.1
to 10.100.12.128 from IP addresses that can be automatically allocated.
option 148 ascii agilemode=tradition;agilemanage-mode=ip;agilemanage-
domain=10.1.1.10;agilemanage-port=10020; //Configure Option 148.
force insert option 148 //Configure a DHCP server to forcibly insert Option 148 to a DHCP Response
packet that it sends to a DHCP client.
#
interface GigabitEthernet0/0/1
ip address 10.100.10.2 255.255.255.0
dhcp select global //Enable the interface to use the global address pool.
#
return
2. Configure the DHCP relay function on Gateway.

#
dhcp enable //Enable DHCP.
#
ip address 10.100.10.1 255.255.255.0
#
ip address 10.100.12.254 255.255.255.0
dhcp select relay //Enable the DHCP relay function.
dhcp relay server-ip 10.100.10.2 //Configures a DHCP server address.
#
return
Step 3 Choose Design > Network Settings and set global network parameters.

SD-WAN
Step 4 If no required site template is available in the system, create a site template which
are used to configure site WAN links.
2. Enter the template information.
Step 5 Add devices on their ESNs and use them as the CPE gateways for the new site.
displayed.
2. Click Add Device and set Addition method to Manual Creation.
3. Set Mode to ESN, and click Add.
4. On the page that is displayed, set ESN, Device Name, and click OK.
Step 6 Create a new site.

5. Click Apply.
Step 7 Complete the ZTP configuration for the new site.

1. Configure the WAN links.
b. In the site list on the left, click Site2. Choose the WAN link template, and
the WAN Link page displays link information.
c. Set Select ZTP Mode to DHCP.

SD-WAN
d. Click in the Operation column in the right pane. In the SetWANLink

dialog box that is displayed, set WAN link parameters.
e. Click Apply.

SD-WAN
Step 8 Complete the NTP configuration.

On the NTP page that is displayed, select a time zone for the devices. Enter NTP
information and click Apply.

SD-WAN
Step 9 Perform DHCP-based deployment as a deployment engineer.

1. Install the CPE at the site, connect the WAN-side network cable to the
Ethernet WAN port of the CPE based on the network plan, and power on the
CPE.
2. After the CPE is started, observe the SYS indicator on the CPE to check
whether the CPE is running properly.
– Slow blinking green: The system is running properly.
– Fast blinking green: The system is being powered on or restarting.
– Steady red: A fault that affects services has occurred and cannot be
rectified automatically. The fault needs to be rectified manually.
– Off: The system software is not running or is resetting.
3. After the CPE is started normally, the CPE automatically performs the
following operations:
a. The CPE functions as a DHCP client and sends a DHCP request to the
DHCP server to apply for an IP address.
b. The CPE successfully obtains a WAN interface IP address, egress gateway
address, and iMaster NCE-WAN IP address and port number carried in
the Option 148 field from the DHCP server.
c. The CPE automatically configures the IP address of the WAN interface,
iMaster NCE-WAN IP address and port number, and routes, and initiates a
registration request to iMaster NCE-WAN. After the CPE and iMaster
NCE-WAN perform verification and authentication, the CPE registers with
iMaster NCE-WAN successfully. In this way, DHCP-based deployment is
completed.

SD-WAN

● Check whether the CPE status is Normal on the iMaster NCE-WAN as a
tenant administrator.
Choose Design > Devices Management. On the Device page that is
displayed, find the target CPE. If Status displays Normal, the AR has
successfully registered with the iMaster NCE-WAN and gone online.
CTRL indicator status on the AR. If the indicator is steady green, the AR has
successfully registered with the iMaster NCE-WAN.
----End

SD-WAN
Typical Deployment Examples 3 Faulty CPE Replacement
3 Faulty CPE Replacement
3.1 Replacing Dual Faulty CPE Gateways
3.1 Replacing Dual Faulty CPE Gateways

Related Products
AR: V300R019C10SPC300
A hardware fault occurs on two CPEs at the site of an enterprise. The enterprise
wants to replace them with new CPEs to restore network services.
Solution Design
1. Add the new CPEs to the device management system of the iMaster NCE-
WAN. Ensure that the model of the new CPEs is the same as that of the CPEs
to be replaced.
2. Perform device replacement on the iMaster NCE-WAN, select the site at which
CPEs need to be replaced, and send a deployment email.
3. At the site, use the new CPEs to replace the faulty CPEs and connect them to
the WAN. Then, deploy the CPEs again.
4. After the CPEs are deployed, they automatically obtain the modified
configuration from the iMaster NCE-WAN.
Figure 3-1 shows the detailed operation flowchart.

SD-WAN
Figure 3-1 Operation flowchart
Data Plan
Table 3-1 New device information
2102351UGG10J7000071 Site3_1_new AR651U-A4
2102351UGG10J7000072 Site3_2_new AR651U-A4
Procedure
Step 2 Add devices in a batch based on the ESN.

displayed.
2. Click Add Device and set Addition method to Manual Creation.
3. Set Mode to ESN, and click Add.
4. On the page that is displayed, set ESN, Device Name, and click OK.

SD-WAN
Step 3 Replace the CPEs.

1. Choose Design > Devices Management. The Device page is displayed.
2. In the device list, find the faulty CPEs. Click in the Operation column of
the CPE records. The Device Replacement page is displayed.
3. In the new device list, select the new CPEs after the replacement and click OK.
4. After the replacement is successful, the device ESNs are the ESNs of the new
CPEs.
Step 4 Send a deployment email or USB-based deployment files.

● In email-based deployment, perform the following operations:
b. Click Send Email. In the displayed Send Email dialog box, select the site
to deploy and click
c. (Optional) If the mailbox information is not configured when the site is
created, specify a recipient email address after you select the site.
d. Enter the recipient email address and CC email address, select the created
email template, modify the email content, and click OK.
● In email-based deployment, perform the following operations:

SD-WAN
b. Click Download ZTP File to save the file as a ZTP_xxx.csv file.

c. Make an index file and a configuration file and send them to the
deployment engineer. For details, see Step 2 in section 2.1 USB-based
Deployment.
Step 5 Deploy the new CPEs as a deployment engineer.
● For details about the onsite deployment operations in email-based
deployment, see Step 2 in section 2.2 Email-based Deployment.
● For details about the onsite deployment operations in USB-based deployment,
see Step 3 in section 2.1 USB-based Deployment.
Step 6 After the new CPEs are deployed, verify that the CPEs register with the iMaster
NCE-WAN to automatically obtain service configurations for restoring services.
----End

SD-WAN Typical Deployment Examples

Uploaded by

Copyright:

Available Formats

SD-WAN Typical Deployment Examples

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SD-WAN Typical Deployment Examples

Uploaded by

Copyright:

Available Formats

SD-WAN

Typical Deployment Examples

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Issue 03 (2021-04-12) Copyright © Huawei Technologies Co., Ltd. i

1 Building an SD-WAN Network............................................................................................. 1

Issue 03 (2021-04-12) Copyright © Huawei Technologies Co., Ltd. ii

2 Site Deployment.................................................................................................................. 426

3 Faulty CPE Replacement....................................................................................................457

Issue 03 (2021-04-12) Copyright © Huawei Technologies Co., Ltd. iii

1 Building an SD-WAN Network

1.1 Introduction to Building an SD-WAN Network

1.1 Introduction to Building an SD-WAN Network

Issue 03 (2021-04-12) Copyright © Huawei Technologies Co., Ltd. 1

Figure 1-1 SD-WAN network configuration procedure

Issue 03 (2021-04-12) Copyright © Huawei Technologies Co., Ltd. 2

The procedure of configuring a new SD-WAN network consists of multiple steps,

Table 1-1 Configurations in typical scenarios

Step 1 Create SD-WAN sites 1.3.1 Full-Mesh Networking

Step 2 Configure WAN-side 1.4.1 Configuring BGP and

Step 3 Configure multiple 1.5.1 Configuring Multiple VPNs

Step 4 Configure LAN-side 1.5.1 Configuring Multiple VPNs

Step 5 Configure LAN-side 1.7.1 Configuring LAN-side

Step 6 (Optional) Configure 1.8.1 Configuring a Link

Configure a site-to- 1.9.1 Configuring Centralized

Configure a site-to- 1.10.1 Configuring

(Optional) Configure a 1.11.1 Configuring Preferential

(Optional) Configuring 1.12.1 Forbidding Access to

(Optional) Configure a 1.13.1 Configuring a URL

Step 7 Deploy sites. 2.2 Email-based Deployment

Issue 03 (2021-04-12) Copyright © Huawei Technologies Co., Ltd. 3

1.2 Standard SD-WAN Networking Solutions

Full-Mesh Networking (Single Hub and Co-deployed RR)

● Two gateways are deployed in a DC as hub nodes, which also function as RR

Issue 03 (2021-04-12) Copyright © Huawei Technologies Co., Ltd. 4

Hub-Spoke Networking (Dual Hubs and Co-deployed RR)

● Two gateways are deployed at the HQ and DC respectively as hub nodes,

Issue 03 (2021-04-12) Copyright © Huawei Technologies Co., Ltd. 5

Multi-Area Hierarchical Networking (Co-deployed RR)

Issue 03 (2021-04-12) Copyright © Huawei Technologies Co., Ltd. 6

Multi-Tenant Networking (Co-deployed RR)

Issue 03 (2021-04-12) Copyright © Huawei Technologies Co., Ltd. 7

1.3 Creating SD-WAN Sites and Configuring ZTP

1.3.1 Full-Mesh Networking (Single Hub and Co-deployed RR)

Issue 03 (2021-04-12) Copyright © Huawei Technologies Co., Ltd. 8

Figure 1-2 Enterprise networking

Issue 03 (2021-04-12) Copyright © Huawei Technologies Co., Ltd. 9

4. To enable direct communication between the headquarters and branches or

Table 1-2 Tenant information

Tenant Name TenantA

Table 1-3 Global network parameters

Transport Network MPLS Internet

Routing Domain MPLS Internet

Encryption algorithm AES256

Life time 1440

URL encryption key 123abc

Token validity period (day) 7

Password of User Admin test@123

Community pool 100