Deploying Aruba SD-WAN Technologies

Student Guide
version 9.2, revision 1.5
Student Guide Page 6

© Copyright 2023 Hewlett Packard Enterprise Development LP

The information contained herein is subject to change without notice. The only warranties for HPE products and services
are set forth in the express warranty statements accompanying such products and services. Nothing herein should be
construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial
errors or omissions contained herein.

This is an HPE copyrighted work that may not be reproduced without the written permission of Hewlett Packard
Enterprise. You may not use these materials to deliver training to any person outside of your organization without the
written permission of HPE.

Printed in the US

Deploying Aruba SD-WAN Technologies

Student Guide
October 2023
Student Guide Page 7

Contents
Introduction........................................................................................................................................................................................................................................................................................................... 8
EdgeConnect SD-WAN Ecosystem......................................................................................................................................................................................................................................... 10
EdgeConnect Terminology & Concepts ............................................................................................................................................................................................................................ 12
Orchestrator Setup & Initial Configuration ..................................................................................................................................................................................................................... 17
Orchestrator & Appliance Registration............................................................................................................................................................................................................................... 20
Configure Essential Orchestrator Features .................................................................................................................................................................................................................... 22
Deploy EdgeConnect Enterprise Appliances ............................................................................................................................................................................................................... 25
Deployment Profiles ................................................................................................................................................................................................................................................................................ 30
Data Path Route Selection & Forwarding ........................................................................................................................................................................................................................ 36
EdgeConnect SD-WAN Reference Architectures ................................................................................................................................................................................................... 40
Virtual Router Redundancy Protocol (VRRP)............................................................................................................................................................................................................. 43
EdgeConnect High Availability.................................................................................................................................................................................................................................................... 47
Automated Provisioning & Configuration........................................................................................................................................................................................................................ 51
Business Intent Overlays .................................................................................................................................................................................................................................................................... 56
SD-WAN Traffic Handling ................................................................................................................................................................................................................................................................. 62
Internet & Cloud Services Traffic Handling ................................................................................................................................................................................................................... 75
Back Up, Restore, & Image Management ......................................................................................................................................................................................................................... 79
Monitoring .......................................................................................................................................................................................................................................................................................................... 82
Logging .................................................................................................................................................................................................................................................................................................................. 88
Working with Technical Support ............................................................................................................................................................................................................................................... 90
Conclusion .......................................................................................................................................................................................................................................................................................................... 94
Student Guide Page 8

Introduction
Deploying Aruba SD-WAN Technologies
Welcome to the Deploying SD-WAN Technologies course. This course is based on Orchestrator 9.2 and ECOS 9.2. It
provides you with information about EdgeConnect SD-WAN concepts and features.
Each module in this student guide corresponds with the presentation slides for this course. You can note the title of the
slide the instructor presents, and then match it with the corresponding header. Each provides useful information. Some
have images for reference purposes, but not each one does.

Welcome to Deploying Aruba SD-WAN Technologies

Provide the following information via Microsoft Teams chat to introduce yourself to the instructor and the other
students:
• First and last name
• City and country (HPE requires that students notify the instructor of their country of residence.)
• Role
• Organization
• Prior EdgeConnect SD-WAN and networking experience
• Learning goals for this course
You should have received a course materials email sent from Silver Peak Classes. The email contains download links for
the course materials. If you need the course materials, your instructor can provide them to you.

Prerequisite Knowledge
This course is the first in our technical training series. We recommend that you complete the SD-WAN Essentials course
before which provides a detailed overview of important EdgeConnect SD-WAN concepts. If you began this course
without completing SD-WAN Essentials, we recommend that you complete it during a meal break or before the second
day of class.

AASP Assessment Overview

This course supports the Aruba Accredited SD-WAN Professional (AASP) accreditation assessment. You can enroll in
the assessment at this URL:
https://inter.viewcentral.com/events/cust/cust_tracks.aspx?company_login_id=aruba&pid=1&track_id=43
The AASP assessment has 40 multiple-choice questions, a 1-hour time limit, is open-book, and has a minimum passing
score of 70%. If you do not pass the assessment twice, you must wait 1 week before your next attempt.
Student Guide Page 9

Objectives
The following are the course objectives:
• Become familiar with Aruba Orchestrator management software and EdgeConnect appliances
• Understand the fundamentals of Aruba EdgeConnect Enterprise technologies
• Deploy an Orchestrator and EdgeConnect appliances
• Earn your Aruba Accredited SD-WAN Professional (AASP) accreditation

Instructor-led Course Completion Criteria

You must attend all lectures, participate in discussions, and complete all the labs for you to be marked as “Complete” in
an instructor-led class. If in the opinion of the instructor, the student fails to meet these requirements, the instructor
marks the student as “Not Complete.” If this happens, you have these three options:
• Complete the eLearning version of the course. If you choose this option, don’t redeem your lab voucher unless you
have sufficient time to complete all labs within 24 hours.
• Repeat the instructor-led course to complete it.
• Send an email to [email protected] to appeal the decision.
Student Guide Page 10

EdgeConnect SD-WAN Ecosystem

This module is a review of the SD-WAN Essentials eLearning course.

Enroll in this course at this website for more detailed information about these topics:
https://inter.viewcentral.com/events/cust/cust_tracks.aspx?company_login_id=aruba&pid=1&track_id=43

Business-driven SD-WAN Edge Platform

As enterprises continue their migration to the cloud,
they increasingly adopt a “cloud-first” SD-WAN
architecture to provide the highest levels of SaaS
application and IaaS performance providing tangible
business benefits to the enterprise. The EdgeConnect
SD-WAN solution with First-packet iQ delivers the
highest performance for the cloud-first enterprise
while protecting branch offices from unwanted threats
and vulnerabilities.

How EdgeConnect Simplifies SD-WAN Architecture

The right SD-WAN choice can unify all essential WAN-edge network functions in a single platform, including routing,
firewall, visibility and control, WAN optimization, and SD-WAN. Besides reducing the hardware footprint and power
consumption at every branch, centrally orchestrating these functions simplifies WAN infrastructure management and
provides more consistent QoS and security policy enforcement. This means reduced risk, as well as reduced capital
expenses and operating expenses.
Student Guide Page 11

Software-Defined WAN (SD-WAN)

SD-WAN is an attractive solution with two general SD-WAN
implementations: basic SD-WAN and business-driven SD-WAN.
This course covers the Aruba EdgeConnect Enterprise SD-WAN,
formerly known as Silver Peak SD-WAN. As the diagram shows,
you can use one or more WAN transports and control how, when,
and what traffic the EdgeConnect SD-WAN handles.
Remember that the emergence of SD-WAN resulted from many
applications and services moving to the cloud. Such applications
and services include Microsoft Office 365, Salesforce, social
media, and Infrastructure-as-a-Service (IaaS) solutions via AWS,
Microsoft Azure, and Google Cloud. It often makes sense to
forward such traffic to the internet instead of backhauling it to a
data center. Additionally, this traffic typically has SSL/TLS
encryption.
Internal traffic is the other type of network traffic. Think of this
traffic as anything you might need to access via a VPN client
from your computer. With software-defined WAN, network
operators have more control for the efficient management of dynamic traffic, especially with a business-driven SD-WAN,
like EdgeConnect SD-WAN, that uses an Orchestrator.
Student Guide Page 12

EdgeConnect Terminology & Concepts

Encapsulation & Tunnels
Let’s look at a high-level view of encapsulation and tunnels between EdgeConnect
SD-WAN appliances. A basic function of an EdgeConnect SD-WAN appliance is to form
tunnels with other EdgeConnect SD-WAN peers to forward network traffic flows.
• Encapsulation: Putting a data packet inside another data packet for transport
across a network.
• Tunnels: The logical connections between two devices that encapsulate data.
They are the dashed orange lines in the following diagram.
If you don’t know a website’s IP address,
or how to get to internal servers, your
computer creates an IP packet with its IP
address as the source and the server’s IP
address as the destination. Your
computer sends the packet to its default
gateway router. For this example, let’s say
the EdgeConnect SD-WAN appliance is
the default gateway for the internet at
your remote office. EdgeConnect A
receives the packet and sees the file
server is an internal resource. So, it
secures the packet by encapsulating the
original IP packet with additional encapsulation data: its IP address as the source and the destination IP address of
EdgeConnect appliance B. EdgeConnect A then forwards the encapsulated packet through a tunnel to the remote
EdgeConnect B. When EdgeConnect B receives the packet, it looks at the encapsulated packet’s destination IP address
which is its own. That’s how EdgeConnect B knows it needs to do something with the packet. In this case, it removes the
encapsulation headers and forwards the original packet to the internal server.

Passthrough Flows
Some flows aren’t between two EdgeConnect SD-WAN
appliances. In this example, you see traffic that is sent
from a branch office directly to the internet. Any flow that
isn’t encapsulated—not in a tunnel—is called a
passthrough flow. Essentially, the EdgeConnect SD-WAN
appliance behaves as a router that does not optimize the
passthrough flows.
Since cloud services, SaaS, and IaaS are extensions of an
organization’s network, it’s critical to reach these services
by the most efficient and highest-performing means. This
is called local internet breakout, and it’s a form of
passthrough traffic. Passthrough flows, standard IPsec
tunnels, and GRE tunnels may sometimes be referred to
as Passthrough Tunnels.
Student Guide Page 13

Aruba EdgeConnect SD-WAN Components

An Aruba EdgeConnect Enterprise SD-WAN has these three components:
• Cloud Portal
– It acts as the SD-WAN and Boost
licensing database
– Requires no customer interaction
– Provides software upgrade image
files
• Orchestrator
– Provides SD-WAN data with its
dashboard widgets
– Manages EdgeConnect SD-WAN appliances
– Pushes configuration and tunnel orchestration to appliances
– Registers with the Cloud Portal
• EdgeConnect SD-WAN appliances
– Directs network traffic
– Receives configuration settings from Orchestrator
– Must periodically check in with the Cloud Portal
– Requires Cloud Portal connectivity for software upgrades
– Must be approved from the Orchestrator
– Typically configured from the Orchestrator

Orchestrator & EdgeConnect Appliance Types

The Orchestrator is a virtual machine
that you install in a supported
hypervisor. It’s included with the
purchase of your EdgeConnect SD-WAN
appliances.
EdgeConnect SD-WAN appliances are
available as physical appliances or EC-V
virtual appliances you install in a
supported hypervisor. You can install
EC-V appliances in a cloud environment
like AWS, Google Cloud Platform, or
Microsoft Azure.
Student Guide Page 14

Orchestrator Versions
Most EdgeConnect SD-WAN deployments have one Orchestrator and SD-WAN fabric. Orchestrator is a virtual machine
that you can install on-premises or in a cloud environment, or you can subscribe to Aruba’s Orchestrator-as-a-Service
(OaaS) offering. Orchestrator as a Service has small, medium, and large tiers.
You can learn more about Orchestrator from these resources:
• Aruba Orchestrator website:
https://www.arubanetworks.com/products/sd-wan/edgeconnect/orchestrator/
• Aruba Orchestrator data sheet:
https://www.arubanetworks.com/assets/ds/DS_Orchestrator.pdf
•Aruba Orchestrator-as-a-Service data sheet:
https://www.arubanetworks.com/resource/enterprise-aruba-orchestrator-as-a-service-data-sheet/
Aruba also has two additional Orchestrator offerings:
• Aruba Orchestrator-GE (Global Enterprise)
– Cloud-based Orchestrator for organizations with multiple EdgeConnect SD-WAN fabrics
– Orchestrator-GE data sheet:
https://www.arubanetworks.com/assets/ds/DS_OrchestratorGE.pdf
• Aruba Orchestrator-SP (Service Provider)
– Cloud-based Orchestrator for service providers that provide EdgeConnect SD-WAN service to customer
organizations
– Orchestrator-GE data sheet (includes Orchestrator-SP):
https://www.arubanetworks.com/assets/ds/DS_OrchestratorGE.pdf
Student Guide Page 15

On-Premises vs Cloud-Based Orchestrator

You install the Orchestrator
from a *.ova file you obtain
from Aruba. You have two
installation options, on-
premises or cloud-based. An
on-premises Orchestrator is
the most common installation.
It comes with the purchase of
your EdgeConnect SD-WAN
appliances. This might be at
your organization’s data center.
Cloud-based Orchestrator
installations are in cloud
environments like AWS, Google
Cloud, or Microsoft Azure. With
either installation option, you
must ensure your EdgeConnect SD-WAN appliances have connectivity to the Orchestrator for registration approval,
configuration, and ongoing monitoring. After you approve a new appliance from the Orchestrator, the Orchestrator
pushes configuration settings to the appliance and orchestrates its tunnels to other EdgeConnect SD-WAN peers.
Student Guide Page 16

Order of Operations
This is an overview of the order in which you need to perform EdgeConnect SD-WAN installation tasks:
1. Design & prepare: Always know your network and the network you are trying to create. Ensure you have
topology diagrams, link speed information, and other information so you can correctly configure and install the
appliances.
2. Orchestrator setup & initial configuration: The first
part of the actual installation is to install the
Orchestrator before any EdgeConnect SD-WAN
appliances. You can’t deploy any appliances until you
install and register the Orchestrator.
3. Configure Orchestrator: Once you have registered
the Orchestrator with the Cloud Portal, you need to
do some pre-configuration to prepare for appliance
installation. This includes creating Interface Labels,
Deployment Profiles, and Business Intent Overlays.
4. Install EdgeConnect SD-WAN appliances: When
you have configured these features in Orchestrator,
you’re ready to start installing appliances. This
process goes quickly because it’s mostly applying
templates and filling in a few blanks, like the IP
addresses of the interfaces.
5. Benefit from SD-WAN automation: When you’re
done with the configuration, and the Orchestrator has
pushed these settings to the appliances, they
establish their tunnels with peer appliances and start
forwarding traffic between them.
Student Guide Page 17

Orchestrator Setup & Initial Configuration

Orchestrator Installation
The system requirements of the Orchestrator are based on the number of appliances the Orchestrator will manage. The
Orchestrator Host System Requirements document provides a range of processor, memory, and storage requirements
and recommendations for each tier.
You can access the Orchestrator Host System Requirements document at this website:
https://www.arubanetworks.com/website/techdocs/sdwan-PDFs/system/Orch_SystemReq_latest.pdf
You install Orchestrator from a *.ova file, and then thick provision it, with one of these supported hypervisors. We have
included links to each Quick Start Guide:
• Citrix XenServer: https://www.arubanetworks.com/website/techdocs/sdwan-PDFs/quick/qsg_Orch-
Xen_latest.pdf
• KVM: https://www.arubanetworks.com/website/techdocs/sdwan-PDFs/quick/qsg_Orch-KVM_latest.pdf
• Microsoft Hyper-V: https://www.arubanetworks.com/website/techdocs/sdwan-PDFs/quick/qsg_Orch-
HyperV_latest.pdf
• VMware vSphere: https://www.arubanetworks.com/website/techdocs/sdwan-PDFs/quick/qsg_Orch-
vSphere_latest.pdf

Orchestrator Root & Admin Passwords

Orchestrator runs as a service of a Linux operating system. So, you
configure different passwords for Linux and Orchestrator user
accounts. You configure the Linux root and admin account passwords
from the command line. The first time you log in to Orchestrator, enter
the user name admin and password admin. You configure the
Orchestrator admin account from its web interface after this first login.
Student Guide Page 18

Configure Static IP Addresses from CLI

You configure basic Orchestrator settings from a
hypervisor console window with the orch-setup
tool. You need to enter
./gms/orch-setup -c
to start its configuration component. You must
refer to the full directory path to use orch-setup.
When you finish using orch-setup, the network
services automatically restart to apply the settings.
Select these orch-setup configuration options:
• Time zone
• NTP Settings
• Hostname
• IP address, subnet mask, and default gateway
• DNS server IP address

Getting Started Wizard – Step 1: License and Registration

After you log into the Orchestrator the first
time, the Getting Started Wizard begins. On
the wizard’s first page, you select
EdgeConnect as the type of product the
Orchestrator will manage. You also enter
these two items:
• Account Name: It specifies the name
of your account in the Cloud Portal.
• Account Key: The registration license
key for your account.

Step 2: Email
On the wizard’s second page, you configure
settings for an email server. Orchestrator
will use this to send alarm-related emails
and scheduled reports. After you click the
Test button, you want to see a success
message that indicates the email settings
work for the Orchestrator.
Student Guide Page 19

Step 3: Backups
On the wizard’s third page, you
configure settings for a backup
server. You schedule backups to
these types of servers:
• FTP
• HTTP
• HTTPS
• SCP
• SFTP

Is Orchestrator Registered with the Cloud Portal?

After you finish the Getting Started Wizard, if
Orchestrator registration fails, check these items:
• The firewall allows TCP port 443 HTTP and
WebSocket traffic.
• The Orchestrator can reach its DNS server.
• The Orchestrator uses portal.silverpeak.cloud as
the address of the Cloud Portal.
• You entered the account name and account key
correctly. You can click the lock icon to reveal the
account key.
Student Guide Page 20

Orchestrator & Appliance Registration

Licensing & Configuration Overview
When you add a new appliance to the EdgeConnect SD-WAN, it communicates information with the Cloud Portal:
• Physical appliances provide their serial number.
• Virtual appliances provide their account name and account key, and the Cloud Portal gives it a virtual serial number.
After the Cloud Portal finds this information in its licensing database, it notifies the Orchestrator about the new
appliance. It also puts the appliance into a registration-pending status. You can automatically approve or manually
approve new appliances from the Orchestrator. After approval, the Orchestrator pushes these settings to the appliance:
• Deployment Profile
• Template Group
• Business Intent
Overlays
The appliance then
automatically establishes
overlay tunnels with its
peer EdgeConnect
appliances.

Install & Register Orchestrator

After you finish the Orchestrator Getting Started Wizard, it should be registered
with the Cloud Portal. The Orchestrator Cloud Portal page should show
Registered Yes. The Orchestrator is then able to start managing EdgeConnect
SD-WAN appliances, and it communicates regularly with the Cloud Portal to
receive necessary updates for First-packet iQ application identification.
Student Guide Page 21

Licensing Notes
These are a few items that you should remember about licensing for the Orchestrator and appliances:
• The Orchestrator and EC-V virtual appliances use the same account name and account key.
• Each appliance license is granted for a moving 30-day
window, and it attempts to connect to the Cloud Portal
each day to renew its license. If it can connect, the license
continues to be valid. However, after 30 days of not being
able to connect to the Cloud portal, the appliance’s license
expires.
• If an appliance’s license expires it drops all traffic until it is
licensed again. Ensure that you resolve any reachability
issues before the appliance is in production.
• The Orchestrator and appliances use Google public DNS
(8.8.8.8) to resolve the Cloud Portal address unless you
configure a different DNS server.
Student Guide Page 22

Configure Essential Orchestrator Features

Four Essential Pieces
An EdgeConnect SD-WAN has some essential components you need to configure before installing EdgeConnect
SD-WAN appliances.
You learn about these features in this module:
• Appliance tree groups
• Interface labels
• Template groups
• Deployment Profiles
• Business Intent Overlays

Appliance Tree Groups

Organize Appliances with Groups

If your EdgeConnect SD-WAN has more than a few appliances, dividing them
into groups in the Orchestrator appliance tree simplifies working with them.
You can create a hierarchical organization of appliance groups. Many
organizations use geography as the basis for these groups. However, if you
group appliances by function or other criteria, this is also valid.

Configuring Appliance Tree Groups

The Orchestrator appliance tree has one pre-existing group when you log
into it the first time. You can rename this group, delete it, or create other
groups. You can also create one or more nested groups within a higher-level
group. You right-click an appliance tree items to work with groups. You right-
click a specific appliance to change its group assignment.

Interface Labels
You can associate interface labels with the LAN or WAN interfaces of your EdgeConnect SD-WAN appliances. LAN
interface labels can also apply to an untagged interface or VLAN-tagged subinterface.

The appliance uses

LAN interface
labels as one of the
ways it can match
traffic to a Business Intent Overlay.
Student Guide Page 23

WAN interface labels identify its WAN transport.

The appliance uses each WAN interface label to establish an underlay tunnel with other appliances that have the same
label. Though the Orchestrator provides some preconfigured LAN and WAN interface labels, you can also define your
labels.

Templates & Template Groups

Why Use Templates?

Aruba recommends that you use templates whenever possible to make real-time changes
to the configuration settings of EdgeConnect SD-WAN appliances. Template groups are
reusable and can simplify and automate appliance configuration and management to save
you time. They help you consistently configure settings for your EdgeConnect SD-WAN. A
template group reduces the risk of configuration errors because the Orchestrator applies
the same changes to all the appliances you have selected.

Template Groups
It’s important that you understand the
difference between a template and a template
group:
• Template: This is a collection of settings
for a specific feature.
• Template group: A collection of active
templates. You activate a template by
dragging it from Available Templates
into the Active Templates field.
You can apply a template group to a single
appliance, a group of appliances, or all the
EdgeConnect SD-WAN appliances. If you click
the built-in help question mark icon, it
provides information about a template’s
settings.
Student Guide Page 24

Applying Templates
To apply any changes to EdgeConnect SD-WAN
appliances, select one or more appliances in the
Orchestrator appliance tree, ensure you have
selected the correct template group, and then click
Apply Templates. If you modify a template group
after you have applied it to appliances, click Save to
apply the changes. When you make changes, some
templates give you the option to replace or merge
the changes. Replace overwrites the existing
settings. Merge inserts the change to combine it
with the existing settings. You can apply more than
one template group to an appliance.
Student Guide Page 25

Deploy EdgeConnect Enterprise Appliances

Order of Operations
Now that we’ve configured basic Orchestrator features, you proceed with installing EdgeConnect
SD-WAN appliances.
1. Design & prepare
2. Orchestrator setup & initial configuration
3. Configure Orchestrator
4. Install EdgeConnect SD-WAN appliances

Orchestrator as a Registration Proxy

If an EdgeConnect SD-WAN appliance doesn’t have a connection to the internet, it can’t reach the Cloud Portal. However,
you can configure the appliance to use Orchestrator as a registration proxy by clicking Administration > Silver Peak
Cloud Portal & Orchestrator. EdgeConnect can then use the Orchestrator as a proxy.
The Orchestrator sees the incoming connection from the appliance; and forwards it to the Cloud Portal. This means that
the Orchestrator must be reachable from the appliance via its mgmt0 interface or one of its WAN-side interfaces.
EdgeConnect can then register with the Cloud Portal, but at this point, the Orchestrator is still not aware of the
EdgeConnect despite having facilitated the connection.
The Orchestrator, on its next polling cycle to the Cloud Portal, discovers the new EdgeConnect appliance, and after the
EdgeConnect is approved in the Orchestrator, the Cloud Portal grants a license to the appliance, and the Orchestrator
can begin managing it.

EdgeConnect Licenses
EdgeConnect SD-WAN appliances require an SD-WAN license and can also use optional Boost and Advanced Security
licenses. The appliance uses an SD-WAN license that matches its total outbound and inbound WAN bandwidth. You can
Student Guide Page 26

view your appliances’ licenses from the Orchestrator under Configuration > Overlays & Security > Licensing >
Licenses. The SD-WAN license enforces this bandwidth limit outbound and inbound and provides these features:
• Traffic forwarding, firewall, routing, QoS, and automated provisioning
• Path Conditioning (Forward Error Correction, Packet Order Correction)
• Dynamic Path Control
• EdgeConnect HA
The Boost license enables WAN optimization via TCP Acceleration and Network Memory for the appliance. You purchase
blocks of Boost in 100 Mbps or 1 Gbps increments. You can view the total available pool of Boost bandwidth the
EdgeConnect appliances share from the Orchestrator under Configuration > Overlays & Security > Licensing >
Licenses.
You can also apply an Advanced Security license to appliances on which you want to enable intrusion detection and
intrusion prevention.

Allocating Bandwidth Licenses

This licensing exercise involves EdgeConnect SD-WAN appliances at different types of sites. The 10 small branches each
have one appliance with a total WAN bandwidth of 30 Mbps. The five medium branches each have two appliances for a
total of 10 appliances, each with a total WAN bandwidth of 80 Mbps. The single data center site has two appliances that
each have a total WAN bandwidth of 6 Gbps. Given the different SD-WAN bandwidth license tiers, this is how many of
each type of license you need for the appliances:
• Small branch appliances: 10 licenses at 50 Mbps each
• Medium branch appliances: 10 licenses at 100 Mbps each
Student Guide Page 27

• Data center appliances: two unlimited licenses (total WAN bandwidth is greater than 2 Gbps)

Licensing Notes
After you register the Orchestrator with the Cloud Portal, it polls the Cloud Portal once each minute. So, depending on
when in this cycle an appliance registers, it can take a few minutes for it to appear on the Discovered Appliances tab of
Orchestrator.
Each appliance license is granted for a moving 30-day window, and it
attempts to connect to the Cloud Portal each day to renew its license. If it
can connect, the license continues to be valid. However, after 30 days of not
being able to connect to the Cloud portal, the appliance’s license expires. If
an appliance’s license expires it drops all traffic until it is licensed again.
Ensure that you resolve any reachability issues before the appliance is in
production.
The Orchestrator and appliances use Google public DNS (8.8.8.8) to resolve
the Cloud Portal address unless you configure a different DNS server.

Initial Config Wizard

EC-V virtual appliances are virtual machines that run on a hypervisor. Since they don’t have hardware, you must provide
some essential information with the Initial Config Wizard. This wizard appears after the first time you log in to the
appliance. You can also open it from the appliance’s Configuration menu if you need to access it again. You configure
these items in the wizard:
• Hostname: The name of the EdgeConnect SD-WAN appliance.
Student Guide Page 28

• MAC address assignment: You select the

correct MAC address for each interface.
Ensure that you have configured the
hypervisors’ network adapters to use the
correct vSwitch port groups.
• Account name: The name of your account
in the Cloud Portal.
• Account key: The registration licensing
key for your account.
• Appliance tag: This is a unique identifier
Orchestrator uses to match an appliance
preconfiguration file to a specific
appliance.

Virtual MAC Address Mapping in VMware

EC-V virtual appliances require you to assign MAC addresses to their interfaces. This process links the hypervisors’
network adapters to the interfaces of the EC-V. Think of this as plugging in a “virtual cable.” During this course, you can
use the lab topology diagram to determine which interface uses which MAC address. The lab topology shows
gold-colored ovals that represent virtual switch port groups to which each of the hypervisor’s network adapters connect.
Student Guide Page 29

Approve Appliance in Orchestrator

When the Cloud Portal notifies the Orchestrator about a new appliance, the Appliances Discovered button flashes in the
Orchestrator. When you click the button, the Discovered Appliances tab opens and lists the new appliances. If you click
the Appliance column’s header, you can sort the appliance hostnames in order. This helps to ensure you’re approving
and configuring the correct appliance. If an appliance shows up as unreachable, click Refresh Discovery Information so
the Reachability can change to reachable.

Orchestrator Licenses Page

You can view the Licenses tab of the Orchestrator by clicking Configuration > Overlays & Security > Licensing >
Licenses. It provides the number and type of licenses registered to the account. It also provides the total amount of
Boost for your SD-WAN.
Student Guide Page 30

Deployment Profiles
Deployment Profiles
After you configure interface labels, you can configure deployment profiles for use while installing appliances. A
deployment profile has settings for the deployment mode, interface settings, total WAN bandwidth settings, license type,
and amount of Boost. The Orchestrator pushes these settings to a new appliance to accurately configure them. If you
manually approve a new appliance from the Orchestrator, you can choose which deployment profile to apply to it from
the Appliance Wizard.

Deployment Profile Overview

The deployment profile, since it gets applied to multiple sites, does not include IP addresses, as these differ by appliance.
Instead, IP addresses are filled in when the deployment profile is applied to a site. You will probably create a deployment
profile for each type of site in your network and apply them as needed.
Deployment Profiles are templates for configuring the mode and interface configuration of an appliance. This is where
you determine the number of interfaces and subinterfaces it will use. You can add interfaces with the +Add link and
subinterfaces with the +IP link. It can include the VLAN numbers associated with each interface or subinterface. You also
configure inbound and outbound WAN bandwidth, the SD-WAN license type, and the amount of Boost the appliance will
use.

Deployment Profile vs. Deployment “Page”

Though deployment profiles and deployment pages look similar, they have important differences:
• Deployment Profile
 Orchestrator pushes settings from a deployment profile to a new EdgeConnect SD-WAN appliance.
Student Guide Page 31

 You access it from the

Configuration menu of the
Orchestrator. If you need to
find a feature, you can also
use the Search Menu.
 The IP address fields for
interfaces and next-hops
are inactive and gray-
colored. You apply a
deployment profile to many
different EdgeConnect
SD-WAN appliances that
use the same deployment
mode, interface settings,
and related options, but
they can’t contain the same
IP addresses.

• Deployment page
 You can access it from the
Deployment page from
Orchestrator or Appliance
Manager web interfaces.
 You can review or modify
deployment settings from
this page.
 All fields are available
including the IP address and
next-hop fields.

Two Deployment Configuration Areas

You access Deployment Profiles, and the Deployment page as follows:
• Deployment Profile: You access it from the Configuration menu of the Orchestrator.
• Deployment page: You can access it from the Deployment page from the web interface of the Orchestrator or the
Appliance Manager.

VLAN Configuration
You configure VLANs from a Deployment Profile or the Deployment page. Fill in the VLAN field if you want to add the
interface to a tagged VLAN, or leave it blank for the untagged, native VLAN. When you add a VLAN tag to an interface,
the interface's name includes a VLAN number suffix. For example, a wan0 interface with a VLAN tag of 12 has the name
wan0.12.
If you need to add a subinterface and VLAN to an interface, click the +IP link below the interface. You can then enter an
IP address for the new subinterface and a VLAN number for the subinterface.
Student Guide Page 32

NAT Flag
NOTE
The EC-V appliances in the ReadyTech lab environment use the Not Behind NAT setting for all their WAN
interfaces because they connect to the WAN emulator virtual machines, not the internet.

Network Address Translation (NAT) is commonly used to map private, RFC 1918 IP addresses to a unique public IP
address that is valid on the internet. Each interface of a Deployment Profile or Deployment page has a NAT flag which
can be enabled or disabled. When your appliances are behind a NAT device, and it is necessary to build tunnels across
the internet, this flag can help Orchestrator build tunnels to the correct address.
You can also enter the public IP address that Orchestrator should use to build tunnels to this site for a given interface
label. This might be necessary if the NAT on the network path to the Cloud Portal is different from the NAT between

EdgeConnect appliances. If there are multiple service providers, you might have different paths through firewalls. If you’re
using NAT with EdgeConnect SD-WAN appliances, we recommend that you use 1:1 address mapping on at least one
end of a tunnel to avoid IPsec negotiation issues.
Student Guide Page 33

NAT Flag Example

This example illustrates how to use the NAT flag setting with WAN interfaces. In this graphic, Orchestrator manages two
EdgeConnect SD-WAN appliances that communicate with the Aruba Cloud Portal. The appliance on the left has a private
IP address of 10.10.1.1, and the one on the right has a private address of 10.10.2.2.
The appliances connect to the internet through firewalls that perform NAT. The firewall on the left translates the private
source IP address to a public address of 75.10.1.1 and the one on the right to 75.10.2.2. When the appliances register
with the Cloud Portal, they tell it their configured IP addresses, 10.10.1.1 and 10.10.2.2. Because the Cloud Portal
receives this information after NAT is performed, it sees the registration packets originating from their translated
addresses of 75.10.1.1 and 75.10.2.2. The Cloud Portal stores all these values. The next time the Orchestrator polls the
Cloud Portal, it learns these IP addresses.
After approving the appliances, the Orchestrator must choose which address to use to terminate the remote end of
tunnels in each direction. The source IP address for each tunnel is always a private IP address that points to the private
or public destination IP address of the remote appliance when establishing tunnels. If an appliance establishes tunnels
across the internet, then you need to enable the NAT flag. When configuring tunnels on the appliance on the left, the
source IP address of the tunnel is 10.10.1.1, and the public destination IP address of the remote appliance is 75.10.1.2.
The appliance on the right does the same thing in the reverse direction.
However, if the appliances connect over a private MPLS connection that doesn’t transit the NAT firewall, then the
Orchestrator tells the appliance on the left to establish a tunnel from 10.10.1.1 to 10.10.2.2, and it tells the appliance on
the right to do the same in the reverse direction. You might have one interface that connects to the internet, and one
that connects via MPLS. In that case, you would enable the NAT flag on the internet interface and turn it off for the
MPLS interface.
Student Guide Page 34

Allow All
Each WAN interface has an FW Mode or stateful firewall setting. The Allow All setting
means that the stateful firewall is disabled for that WAN interface, and it allows all inbound
and outbound traffic. You usually only use Allow All with WAN interfaces that connect to
private networks—like MPLS—or where upstream firewalls provide security. You shouldn’t
use this setting with internet-connected interfaces due to security risks.

Harden
WAN hardening protects your sites against connections that are not secure. When you
enable this setting for a WAN interface, it only allows inbound and outbound IPsec traffic.
You can’t use local internet breakout with a hardened interface. However, an EdgeConnect
SD-WAN appliance can still communicate with the Cloud Portal through a hardened
interface, and it also permits DHCP requests and responses and DNS queries and
responses.

Stateful
You can enable the stateful firewall FW Mode for a WAN interface. An EdgeConnect appliance applies this security to
passthrough traffic, not overlay tunnel traffic. The stateful firewall provides basic layer-3 and layer-4 functionality that
might be suitable for branch offices’ local internet breakout traffic. If a device on the local LAN originates a connection to
an outside device, the EdgeConnect SD-WAN appliance permits the session through this
WAN interface. However, devices can’t initiate inbound sessions through EdgeConnect
from the outside. The stateful firewall isn’t a substitute for the application-aware
Zone-based Firewall or IDS / IPS. The stateful firewall only looks at the connection state,
not the content, so it doesn’t protect against malware or viruses that could be hidden in
content from insecure online sources that users access.

Stateful + SNAT: WAN Interface Firewall Mode

The Stateful + SNAT FW Mode allows the EdgeConnect SD-WAN appliance to perform
source NAT for outbound passthrough traffic exiting from a WAN interface. The appliance
maps the private LAN-side source IP address of the transmitting end device to the public IP
address of its WAN interface. If possible, EdgeConnect preserves the source port, but if that
port is already in use, the appliance maps a new source port. Since you can reuse source
ports for connections going to different destinations, appliances support up to 64,000
connections per destination IP address.
Student Guide Page 35

Inbound Port Forwarding

Inbound port forwarding allows devices to connect inbound through a WAN-side interface of an EdgeConnect SD-WAN
appliance to another device, like a server, via a LAN-side interface. Inbound port forwarding is not part of a deployment
profile, but you use it in conjunction with the Stateful + SNAT WAN interface FW Mode. It does this by allowing you to
map a public, WAN-side IP address and port number to a private LAN-side IP address and port. You can also restrict
incoming connections so that only certain source IP addresses or port numbers can establish inbound connections.
Student Guide Page 36

Data Path Route Selection & Forwarding

EdgeConnect Appliances Route Traffic In-Line
An EdgeConnect SD-WAN appliance in Router mode can forward a packet between local interfaces if it knows a route to
the destination subnet. The appliance can learn route prefixes from SD-WAN fabric subnet sharing, a proprietary routing
protocol, or OSPF v2 or BGP-4, which are standards-based routing protocols. The appliance can also redistribute route
prefixes between these routing protocols. An appliance can use subnet sharing, OSPF, or BGP with another EdgeConnect
appliance. It can also use OSPF and BGP with third-party routers and layer-3 switches.

Subnet Sharing
Subnet sharing is a proprietary routing protocol that EdgeConnect SD-WAN appliances with their peer EdgeConnect
appliances. Each appliance can advertise its local subnets to its peers via an overlay tunnel between them. When a
packet enters an appliance on the LAN side, the appliance looks up its destination network in its routes table and then
puts the packet into an overlay to that destination. If there is no overlay between two appliances, they remove any routes
they learned from subnet sharing from their routes tables. When they establish an overlay between them again, the
appliances resume advertising and learning routes via subnet sharing.

Appliance Subnet Sharing Configuration

You can turn on SD-WAN fabric subnet sharing from the Routes page of an appliance in the Orchestrator:
• Use SD-WAN Fabric Learned Routes: This setting turns subnet sharing on or off. Always keep this box checked so
the appliance can use subnet sharing.
• Automatically advertise local LAN subnets: Check this box to enable this feature.
• Automatically advertise local WAN subnets: Leave this box unchecked to prevent the risk of routing loops and
overlay tunnel instability.
• Metric for automatically added routes: 50 is the default metric for subnet sharing routes.
Student Guide Page 37

Understanding the Routes Table

The Routes tab of Orchestrator shows all routes for all EdgeConnect SD-WAN appliances you have selected in the
appliance tree. The routes table has these important columns:
• Appliance: The hostname of the appliance that knows a route.
• Segment: The route’s network segment if the Orchestrator has Routing Segmentation (VRF) enabled.
• Subnet/Mask: The destination network address.
• Next Hop: The next-hop IP address for passthrough traffic.
• Interface: The interface related to the route.
• Zone: The Zone-based Firewall security zone.
• State: If the state is UP, the appliance can ARP to the next-hop router.
• Metric: The larger number is the route metric. AD is the administrative distance. PP is the peer priority.
• Type: The protocol from which the appliance learned the route. If the route is to a subnet connected to a local
interface of the appliance, it lists Auto (System). If the appliance learned the route from subnet sharing, the route
lists SP: <peer EdgeConnect hostname>.
• Additional Info: When you configure a default or static route, you can specify the direction in which the appliance
uses it. If the route doesn’t have a tag, the appliance can use it in both directions.
 FROM-LAN: Only used for LAN-to-WAN traffic.
 FROM-WAN: Only used for WAN=to-LAN traffic.

Route Selection Criteria for Route Table Lookups

When an EdgeConnect SD-WAN appliance determines which route to use, it examines the following criteria. If two or
more routes have matching criteria, the appliance examines the next criteria:
1. Longest route prefix: An appliance uses the route with the longest prefix match according to its netmask value. For
example, it chooses a /24 route over a /16 route to the same destination network.
2. Lowest administrative distance: The administrative distance relates to the type of route. An appliance prefers a
route with a lower administrative distance.
3. Lowest route metric: A lower route metric gives it a higher priority. An appliance prefers a route with the lowest
metric.
Student Guide Page 38

4. Lowest Peer Priority: An appliance prefers a route to an EdgeConnect peer with the lowest Peer Priority. This is a
proprietary setting you can configure to determine which of multiple EdgeConnect peers at another site is the
preferred path.
5. Random selection: If all the routes have matching criteria, the appliance randomly chooses one.

Management Routes
If you’re using the mgmt0 interface of an EdgeConnect SD-WAN appliance, it uses a management routes table for
self-originated traffic. If you add
any static routes that are not
default routes to the management
routes table, the appliance also
adds the route to the data-path
routes table. If an appliance uses a
data-path interface or a loopback
interface for management
purposes, it uses the data-path
routes table instead of the
management routes table. Self-
originated traffic includes these
types of traffic:
• Cloud Portal: HTTPS and
WebSocket traffic from the
appliance to the Cloud Portal.
• Orchestrator: HTTPS and
WebSocket traffic from the
appliance to the Orchestrator.
• Management services:
DHCP Relay, NetFlow/IPFIX,
NTP, SNMP, and Syslog traffic.
Student Guide Page 39

Ping & Traceroute: Source IP Address or Interface

EdgeConnect has a few built-in tools to aid you in troubleshooting. Ping and traceroute are available under the
Maintenance menu on the appliances
as shown in this diagram. By default,
the appliance sources ping and
traceroute from the mgmt0 interface.
Be sure to run a ping with the ‐I
option (uppercase i) to test
connectivity between the data path IP
addresses. The ‐I option can be either
the source address of an interface or
the source interface name. If you
choose the source address, the
appliance performs a route table
lookup, and the ping exits from the
interface associated with the chosen
routes’ next-hop IP address. If you
chose the interface name, the ping
exits that interface and uses the
source IP address of the interface you
specified.
Traceroute uses different options
than ping does. Enter the ‐i option
(lowercase i) to specify an interface.
Enter the ‐s option to specify a source
IP address.
Student Guide Page 40

EdgeConnect SD-WAN Reference Architectures

EdgeConnect SD-WAN Reference Architectures
Aruba recommends four fundamental reference architectures:
• Branch Office
• Cloud Hub
• Traditional HA
• EdgeConnect HA

Branch Office
The Branch Office reference architecture uses
one EdgeConnect SD-WAN appliance
deployed in In-line Router Mode. You deploy
the appliance in the data path, so all packets
go through the appliance. The image only
shows Internet and MPLS, but you could use
any combination of WAN transports. The
appliance can learn routes from any local
network inside the branch via BGP or OSPF.
You can also configure the appliance as a DHCP server. This configuration allows you to replace a router or layer-3
device at a branch site. This architecture eliminates most causes of asymmetric flows where traffic goes through an
overlay in one direction but doesn’t return through the same tunnel. Finally, the appliance’s WAN interfaces can use the
Stateful Firewall FW mode, perform source NAT, and use all its interfaces with Zone-based Firewall.

Cloud Hub
The Cloud Hub reference architecture can
speed up your connections to the internet and
other resources. If your local internet
connection has an issue like packet loss, you
can backhaul your traffic from that site to a
Cloud Hub. The Cloud Hub then forwards that
traffic to another site or performs local internet
breakout. This provides you with much better
performance through your cloud provider’s
infrastructure.
When you set up cloud provider environment resources to deploy an EdgeConnect SD-WAN appliance, it can be time-
consuming. However, the Cloud Hub feature offers a utility to streamline this process which requires just a few minutes
to complete. Currently, this feature supports three cloud providers: AWS, Microsoft Azure, and Google Cloud Platform.
You can configure a cloud hub from Configuration > Cloud Services > IaaS in Orchestrator. Each cloud provider has
certain prerequisites and limitations. After you deploy a cloud hub, it has the same discovery and approval processes as
any other appliance. You can find deployment documentation for these providers at this website:
https://www.arubanetworks.com/techdocs/sdwan/docs/orch/configuration/cloud/cloud-hubs/
Student Guide Page 41

Traditional High Availability (HA)

With a Traditional High Availability
reference architecture, each EdgeConnect
SD-WAN appliance has connections to
each of the WAN transports. This is a
primary-backup, or active-passive, model.
The second appliance waits to take over
in case the primary appliance fails. You
can configure IP SLAs on the appliances
so that if they lose access to any one of
their WAN transports, they drop in
priority. For example, if Appliance A loses
access to MPLS, Appliance B takes over—
provided it still has access to MPLS and the other WAN transports.
We recommend that you use BGP, OSPF, or VRRP on the LAN side to make incoming LAN traffic deterministically
choose one path in an active-passive configuration. This avoids asymmetry if the appliances use Boost. It also avoids
overloading upstream routers.
You typically configure each appliance to use all available bandwidth. If the appliances had an active-active configuration,
each appliance wouldn’t be aware of the amount of bandwidth the other appliance used. The combined throughput of
the two appliances could oversubscribe the upstream WAN transports, leading to congestion, lost packets, and network
disruption. An active-passive configuration avoids such issues.
This architecture is an alternative to our EdgeConnect HA reference architecture, and you typically use it with data
centers or large sites. While Traditional HA offers excellent redundancy, it can be much more expensive because it
requires WAN-side switches or routers, and each appliance needs its own IP address to connect to each WAN transport.

Use Site Names with Traditional HA

You should configure the same Site Name for each Traditional
HA peer to prevent them from establishing IPsec UDP tunnels
between their WAN interfaces. You can configure an appliance’s
Site Name from the System Settings section of the System
Information page.

EdgeConnect High Availability (EdgeHA)

The EdgeConnect HA reference architecture provides high availability and flexibility while it lowers expenses. You
connect two EdgeConnect appliances with an HA link. Each appliance operates as an independent unit providing WAN
transport access to its HA peer when
necessary. You configure VRRP, BGP, or
OSPF on the LAN side so the two
appliances can function as an
active-passive pair. If one appliance fails
on the WAN side, it still has full access to
the other HA peer’s WAN-side interfaces
via the HA link. The goal of EdgeConnect
HA isn’t maximum redundancy—it’s
redundancy with cost reduction. Its
benefit is that each appliance doesn’t
require an interface and a separate IP
Student Guide Page 42

address to connect to each WAN transport. You typically use this reference architecture with larger branch offices or
regional offices that benefit from redundancy, but don’t support the higher costs of Traditional HA.

Make Path Selection Predictable & Deterministic

When you work with an EdgeConnect SD-WAN reference architecture, we recommend that you make traffic path
selection predictable and deterministic. You can use these features to achieve this goal:
• Administrative distance and/or Peer Priority (route selection)
• Virtual Router Redundancy Protocol (VRRP, defined by IETF RFC 3768), OSPF, or BGP (to determine the active
path in an active-passive appliance pair) in the event of a gateway failure.
• Route maps
• Policy-based routing
Student Guide Page 43

Virtual Router Redundancy Protocol (VRRP)

You use Virtual Router Redundancy Protocol (VRRP) with EdgeConnect HA or Traditional HA. VRRP is a simple way to
direct traffic to the active EdgeConnect SD-WAN appliance in an Active-Passive configuration. Since Traditional HA is
usually found in large branches or data centers that usually have LAN-side routers, a routing protocol like BGP or OSPF
might be used to direct traffic instead of VRRP.

VRRP Use Cases

EdgeConnect SD-WAN appliances support Virtual Router Redundancy Protocol (VRRP) as defined by RFC 3768. VRRP
provides a redundant gateway functionality. It’s a layer-2 redundancy protocol, not a routing protocol. VRRP is especially
useful if there are no other LAN-side routers, and you want fast failover. With EdgeConnect SD-WAN appliances, you
typically use VRRP with the appliances in an EdgeConnect HA or Traditional HA configuration.

How Does VRRP Work?

RFC 3768 defines VRRP as a layer-2 redundant gateway protocol that operates within a single subnet. Let’s review what
VRRP does.
1. End devices, like those on the left have a default gateway to which they forward IP packets with destinations outside
the local subnet. In our example, the end devices are in the 10.10.10.0 subnet and have a default gateway of
10.10.10.254.
2. Even though there is a redundant router in our diagram, without VRRP you would need to reconfigure the end
devices with a different default gateway or would need to learn the new default gateway via a different mechanism.
This causes downtime while the network reconverges.
3. VRRP allows end devices to have a single default gateway IP address that never goes down because it’s virtual. In
the diagram, the two routers share a virtual IP address (VIP) and virtual MAC address that the hosts use as their
default gateway.
4. Only one of the routers processes traffic addressed to the VIP at a time. This device is the VRRP master. Router A
sends VRRP messages so that router B knows that it’s the VRRP master.
Student Guide Page 44

5. If the VRRP master goes down, the backup fails to receive advertisements, a timer expires, and the VRRP backup
becomes the master.
6. The new VRRP master broadcasts a gratuitous ARP to the downstream switch to update its forwarding table, and to
the hosts on the same VLAN to update each one’s ARP cache. The switch then forwards traffic addressed to the
virtual IP address from its correct port to the new VRRP master.

VRRP with EdgeConnect Appliances

If you have a VRRP group of EdgeConnect SD-WAN appliances, and the active appliance goes down, the other appliance
assumes the master role. In this case, we recommend that you disable preemption on both appliances. This prevents the
other appliance from taking the master role again if it comes back online. Since a VRRP failover requires traffic flows to
be re-established through the new VRRP master, you don’t want an appliance that is going up and down to cause
ongoing interruptions. We also recommend that you use two of the same EdgeConnect appliances because they have
equivalent resources and capacities.
Student Guide Page 45

VRRP Interoperability with EdgeConnect

You always want an EdgeConnect SD-WAN appliance to be the master for a VRRP group that includes a third-party
device. You configure the EdgeConnect appliance with a higher priority than the third-party device to make it the VRRP
master. If the EdgeConnect ever goes down, the third-party device becomes the VRRP master. You typically enable the
preemption setting on the EdgeConnect so that if it later comes back online, it reassumes the VRRP master role. This
ensures that the EdgeConnect can apply SD-WAN and Boost optimizations to the traffic.

Configuring VRRP from Orchestrator

To configure VRRP on an EdgeConnect, open the VRRP tab of Orchestrator, and then click on the edit icon for an
appliance.
1. Click Add VRRP.
Student Guide Page 46

2. Enter a Group ID.

3. Select an interface.
4. Enter a Virtual IP.
5. Enter a Priority value (optional).
6. Enable Preemption (optional).
Student Guide Page 47

EdgeConnect High Availability

App Availability for the Cloud-Connected Enterprise
With EdgeConnect HA, all the available connections work together. Overlays can make use of connections on either
appliance and packet-based load distribution and balancing can occur over all the links. EdgeConnect HA is optimized to
use an active-passive LAN-side configuration while both EdgeConnect HA peers’ WAN interfaces are active. The active
appliance handles LAN-side traffic via VRRP, or by advertising a better metric with BGP or OSPF. Sharing WAN
interfaces via the HA link reduces cost and complexity and eliminates the need for additional IP addresses and
equipment. Each Business Intent Overlay’s link bonding policy combines each underlay into a logical overlay tunnel. Each
appliance has access to the other appliance’s WAN transports via the HA link.

Configuring EdgeHA
You must configure Edge HA, or EdgeConnect HA, from an appliance’s Deployment page in Orchestrator. It’s not
possible to configure EdgeConnect HA from an appliance. Each appliance must use Inline Router Mode. First, you must
check the box on the Deployment page to enable EdgeConnect HA. Then you must choose an HA peer from the
drop-down list of available devices.
Student Guide Page 48

Configuring EdgeConnect HA
The Deployment page lists two appliances with an HA link before them. You need to choose the interfaces that
interconnect the HA peers. This must be a data path interface because an appliance can’t use its management interfaces
for the HA link. You can optionally configure the IP address range you want the Orchestrator to use when it configures
the link. If you don’t configure this range, the Orchestrator uses the 169.254.1.0/24 subnet by default. With EC-V virtual
appliances, the Orchestrator uses multiple dynamic VLANs to connect the appliances over the HA link. You must
configure the hypervisor’s port group to allow all VLAN tags.

Appliance after EdgeHA Configuration

If you look at the configuration of EdgeConnect HA on the Deployment page via
the Appliance Manager of one of the HA peers, you see that you’re unable to
configure EdgeConnect HA. You must configure it from the Orchestrator.
Student Guide Page 49

LAN-side Failover: Flow Handling

EdgeConnect HA peers don’t share their flow tables, or their network memory caches. Let’s consider what happens with
a LAN-side failover where the VRRP master changes.
• Local internet breakout flows: If WAN-side upstream NAT doesn’t change, then those flows are not affected.
• SD-WAN fabric overlay flows: The
HA peer that received the flow on the
LAN interface handles TCP
Acceleration and Network Memory. If
a VRRP transition happens, the flows
move to the new VRRP master. Any
flows optimized with TCP
Acceleration are reset because
sequence numbers and the Network
Memory cache information must be
rebuilt.

WAN-side Failover: Flow Handling

If a WAN-side failover occurs, the following things happen:
• Local internet breakout flows: The flow will reach the internet from a different connection to an internet service
provider. So, flows will likely be reset because the translated IP address upstream will change.
• SD-WAN fabric overlay flows: If the
LAN-side ingress interface hasn’t
changed, the flows to other sites
should continue uninterrupted
assuming their destinations are
reachable because the sequence
numbers and Network Memory cache
information aren’t lost. The flows just
use a different underlay tunnel.
Student Guide Page 50

EdgeHA NAT Points

The transmitting appliance performs source NAT for any passthrough or internet breakout traffic across the HA
interface. For local internet
breakout, if you have
Stateful+SNAT configured
on the appliance’s WAN
interface, the appliance
performs source NAT a
second time for egress
traffic. Even if the appliance
isn’t configured for SNAT,
an upstream router or
firewall performs source
NAT, so source NAT is
performed on local internet
breakout traffic across the
HA link twice.

EdgeHA Software Upgrade Management

Orchestrator is aware of pairs of EdgeConnect HA appliances. When you initiate a software upgrade on the pair of
appliances, Orchestrator installs the new ECOS image software to the inactive partition of the appliances. The
Orchestrator reboots one appliance and waits for it to become functional again. The Orchestrator then reboots the
second appliance. This reduces the upgrade’s impact and maintains network connectivity during the upgrade.

EdgeHA: What Not To Do

EdgeConnect HA does not
have the same physical
configuration as Traditional
HA. You don’t need to
duplicate WAN-side
connections because the HA
link allows each appliance to
access the WAN transports
that connect to its HA peer.
Student Guide Page 51

Automated Provisioning & Configuration

Zero Touch Provisioning (ZTP)
Zero-Touch Provisioning is the process by which you can automatically deploy a physical EdgeConnect SD-WAN
appliance and have the Orchestrator manage it. This is how the Zero-Touch Provisioning process works:
1. You connect the power cable and network cables to the new physical EdgeConnect SD-WAN appliance.
2. The appliance uses its DHCP-assign IP address and DNS server to send its serial number to the Cloud Portal.
3. The Cloud Portal finds the serial number in its licensing database.
4. The Cloud Portal notifies the Orchestrator for your account about the new appliance.
5. At this point, the Zero-Touch Configuration can finish automating the process. You learn about this process during
this module.
6. After the Zero-Touch Configuration process, the Zero-Touch Provisioning process finishes., and Orchestrator
manages the new appliance.
NOTE
You can also use Zero-Touch Provisioning with EC-V virtual appliances. This requires the use of a script that uses
the REST API. If you want more information about this process for EC-V appliances, contact your Aruba account
team as this topic is outside the scope of this course.
Student Guide Page 52

Zero Touch Configuration (ZTC)

When the Orchestrator lists a new appliance in its Discovered Appliances tab, you can choose to automate its
configuration with Zero-Touch Configuration. When you manually approve an appliance from Orchestrator, you can use
Zero-Touch Configuration, also known as Appliance Preconfiguration, to automatically push the configuration to the
appliance. The Orchestrator matches the configuration to the appliance based on the serial number of a physical
appliance or the appliance tag of an EC-V virtual appliance. In addition to the specific configuration the Orchestrator
pushes to the appliance, it also pushes Deployment settings, template groups, and Business Intent Overlays.

Appliance Preconfiguration
The Appliance Preconfiguration feature allows you to specify configuration parameters in Orchestrator for a specific
EdgeConnect SD-WAN appliance in a preconfiguration file. You can’t use this feature directly on the appliance. You can
prepare these configuration
settings in Orchestrator. You
can also copy the default
preconfiguration content
into your favorite text editor,
and then save it to a text file.
This allows you to copy it
into the Appliance
Preconfiguration field in the
Orchestrator later. If you
have a preconfiguration file,
you can clone it, modify its
content, and then save it
with a new name and
appliance-specific discovery
criteria. The files use the
YAML language for markup.
Student Guide Page 53

Built-in Help
When you click New to create a preconfiguration
file, all the help content is built into the file and is
shown as green text following the # comment
symbols. There’s a help section before each
section of the preconfiguration file. This content
describes each setting, its valid values, whether it’s
required or optional, and its default value.

Appliance Preconfiguration
You specify a file name
for each preconfiguration
file. It’s a good idea to
add a comment to
remind others or yourself
about information related
to the file. If you select
the Auto Approve when
Discovered checkbox,
Orchestrator will
automate this process for
a newly discovered
appliance. Otherwise, you
must manually click the
Approve button on the
Discovered Appliances tab in Orchestrator. The type of appliance determines the Discovery Criteria the Orchestrator
uses as a unique identifier that links an appliance to its preconfiguration file:
• Physical appliance: Serial number
• EC-V virtual appliance: Appliance Tag

Editing an Appliance Preconfiguration File

When you edit a preconfiguration file, syntax, formatting, and indentation are important. You’re able to edit the
pre-existing values or add values where settings are blank. Use spaces for indentation because YAML doesn’t support
tabs. You can also delete unused settings or sections if they’re not required, such as BGP or OSPF. Any statement with
green text in the file that’s preceded by a pound sign is a comment that the Orchestrator ignores. The Orchestrator
color-codes the type of text in the file:
• Green text: Comments that provide built-in help
• Blue text: Configuration settings
Student Guide Page 54

• Black text: Values for the

configuration settings

When you are finished editing the

file, click Validate to determine
whether it contains any errors. If
Orchestrator finds an error, the
validation fails, and the
Orchestrator displays a message
with a red background and the line
number where you can find the
error. If Orchestrator determines
the file doesn’t contain any errors,
it displays a success message on a
green background that the
preconfiguration is valid.

Preconfiguration Serial Number or Appliance Tag Matches

As we mentioned before, when a new appliance connects to the Orchestrator, the Orchestrator attempts to match the
appliance to a preconfiguration file based on the serial number for physical appliances or appliance tag for virtual
appliances. When you click Approve, the Apply Appliance Preconfiguration dialog screen appears, shows you which
preconfiguration file was a match, and lists the match criteria. At this point, all you need to do is click Apply
Preconfiguration to complete the setup of the appliance. You can click Run Manual Configuration Wizard to opt-out, or
you can click Cancel to correct an issue.

Status: Applying Preconfiguration

As each step of the process finishes, Orchestrator shows a success or failure
message. The Appliance Preconfiguration Apply Status page shows the
progress of the appliance preconfiguration automation. When every step is
done, close the dialog box, and then open the Tunnels tab or Topology tab
to watch the progress of tunnels being established.
Student Guide Page 55

YAML Works with Templates & BIOs

Preconfiguration files don’t contain every
configuration setting. You specify the names of
template groups and Business Intent Overlays in the
preconfiguration files. When you apply a
preconfiguration file, the Orchestrator pushes the
template groups and Business Intent Overlay to the
appliance along with the settings from the file. We
recommend that you configure your template
groups and Business Intent Overlays as part of the
features you configure in the Orchestrator.

Note on YAML for HA

If you plan to configure an EdgeConnect SD-WAN appliance for EdgeConnect HA with appliance preconfiguration, be
sure to configure these two options in the YAML file:
• ipsecUdpPort: Set this value to 12000 on one EdgeConnect HA peer and to 12100 on the other peer to avoid
conflicts when Orchestrator communicates with the appliances to establish their IPsec UDP underlays.
• haInterfaceOrder: Each EdgeConnect HA peer must list the same WAN interfaces in the same order to avoid
addressing conflicts with the peers.
Student Guide Page 56

Business Intent Overlays

EdgeConnect Policies Are Managed
When you create and configure BIOs on Orchestrator, and then apply them to EdgeConnect SD-WAN appliances,
Orchestrator creates related route policies, optimization policies, and QoS policies on those appliances. Each appliance
uses these policies to establish connections between your sites. Route Policies on an appliance control where traffic goes,
and how it gets there. This is what a route map on an appliance containing two Business Intent Overlay-created route
policies and the default route policy looks like. Each route policy has match criteria like source and destination addresses,
port numbers, DSCP markings, etc. It can also use interface labels, as in these examples, as match criteria. If your Business
Intent Overlay used ACLs, there would be an ACL name in the column near the left side. Notice that the destination for
incoming traffic matched by the Business Intent Overlay-created route policies is the associated overlay network. The
comment field on the far right also tells you which Business Intent Overlay created the route policy. It’s important to
understand that if a packet doesn’t match any overlays, then it matches the default route policy with the priority of
65535, and the appliance forwards the traffic via wan0.

Underlays, Overlays, & Business Intent Overlays

The next concepts are Underlay Tunnels, Overlay Tunnels and Business Intent Overlays (BIOs). This is a high-level
discussion to help visualize the concepts and differences between these key features in an Aruba SD-WAN. Let's use a
familiar concept to introduce these concepts. We'll discuss technical details on the following slides.
A GPS Analogy - Here we see a representation of an SD-WAN. Many networking devices are connected via various
WAN transports like broadband internet, MPLS, and LTE. From an EdgeConnect SD-WAN point of view, the concept of
an underlay refers to an IPsec UDP tunnel over the WAN transports to which the EdgeConnect SD-WAN appliances
connect. Using a GPS maps app as an analogy, an underlay is like the available roads on which you can drive.
Since many paths or routes exist over the internet, an overlay is a logical concept that is essentially the forwarding path
EdgeConnect SD-WAN appliances use. It's like the highlighted path your GPS app selects for you to drive to reach your
destination.
A GPS app has the ability for users to select how it calculates the path. For example, you might choose settings to avoid
toll roads, use the fastest route versus the shortest route, or avoid highways. If you’re driving to work, you might want to
take the shortest path to save fuel and avoid toll roads. If you’re driving your kids to school, you might want to take
toll-roads since it’s faster and free with three or more people in your vehicle. If you took turns driving with another
person every other day, you would have to reconfigure the GPS app’s settings each time you drove.
Student Guide Page 57

If a GPS app could configure different profile settings depending on why or where you’re driving, that would be like a
Business Intent Overlay, or BIO. In our analogy, a Business Intent Overlay is like a GPS Profile. It determines the
characteristics of how my "highlighted path” is decided upon based on the "intent" of my drive.
Note that the overlay might not always be the same for the same types of traffic, just like a GPS app might sometimes
have you drive different streets to your destination because of an accident or road closure. So, BIOs are used to
determine overlay usage in real-time.
To reiterate, this GPS analogy is just a way to visualize these concepts. The overlay, which is the best path to follow, is
determined in real-time by the Business Intent Overlay based on current underlay conditions when an EdgeConnect
appliance forwards matching traffic. It’s not a separate VPN. Just like we don’t build new streets each time we drive
somewhere, our “highlighted path” is a logical path that utilizes existing streets.
• Business Intent Overlay  Determines Overlay Tunnel  GPS Profile
• Overlay  Selected Underlay tunnels  Streets to Drive
• Underlay  
• Broadband Internet
• MPLS
• LTE
Student Guide Page 58

Business Driven SD-WAN Profiles

Now let’s bring it all together and look at an entire Aruba SD-WAN. At the bottom-right of this diagram is the underlay
network, consisting of the WAN transports like MPLS, internet, and LTE. Above it are three overlay networks, each with
logical tunnels that EdgeConnect SD-WAN appliances establish between sites over the underlay tunnels. EdgeConnect
optimizes each overlay tunnel to support the types of traffic it transports.
The RealTime Business Intent Overlay is for real-time traffic like VoIP and video. The goal for this type of traffic is
maximum reliability. So, we want to utilize a pair of connections, perhaps one MPLS link and one broadband internet link,
from two different service providers, and an LTE backup link. Also, we specify a full-mesh topology to establish direct
point-to-point connections with minimal latency for the fastest connections between EdgeConnect SD-WAN peers.
Finally, we want to locally break out any internet traffic.
The CriticalApps Business Intent Overlay is for enterprise applications data like SaaS offerings or local peer-to-peer file
sharing. The goal is to provide the best-quality connection by using MPLS and less expensive broadband internet
connections to transport data over a dual-hub and spoke topology. Likewise, since enterprise apps comprise most
network traffic, you can apply Aruba Boost WAN optimization. We want each site to connect to a pair of data center sites
as hubs, and each appliance breaks out internet traffic to the Zscaler cloud security service.
The DefaultOverlay Business Intent Overlay matches all other traffic, including guest Wi-Fi. Since guest Wi-Fi is just a
service to provide web connectivity, we use only inexpensive broadband internet connections, with all traffic backhauled
to one hub site that breaks it out to the Check Point CloudGuard cloud-security service.
These are just a few examples of the Business Intent Overlays you can configure using the same underlay tunnels over
the available WAN transports.

Underlay & Overlay Tunnels

EdgeConnect SD-WAN appliances primarily use two kinds of tunnels:
Underlay tunnel: These are IPsec UDP tunnels the appliances establish with their EdgeConnect peers. Each appliance
builds an underlay tunnel from a WAN interface with a WAN interface label to its peers that have a WAN interface with
the same WAN interface label.
Student Guide Page 59

Overlay tunnel: Each Business Intent Overlays uses a link bonding policy to determine how each EdgeConnect combines
its underlay tunnels as a logical tunnel. This setting differs based on the type of traffic that matches it.

Defining Internal vs Breakout Traffic

It’s important to define which IP subnets and addresses are internal to
your network. Traffic to these subnets travels across your SD-WAN
through its matching overlay tunnel. The Internet Traffic Definition
configuration setting opens the Internal Subnets page which is a
global list. You can also access this feature directly by clicking the edit
icons next to SD-WAN Traffic to Internal Subnets or Breakout Traffic
to Internet & Cloud Services. Since this list can be long, it’s possible to
bulk upload a list of the subnets and addresses. If an address doesn’t
appear in this list, then it’s one that an appliance can break out locally,
backhaul to a hub appliance for internet breakout, or forward to a
cloud-security service.
Be careful with the Consider Non-default routes as internal subnets
option. A default route of 0.0.0.0/0 matches all traffic. You can
configure hubs and data center appliances to advertise a default route,
so appliances have a path to the internet or a data center. Checking
this box causes EdgeConnect appliances to consider any non-default
routes they learn as internal. This can affect local internet breakout because the appliance will backhaul traffic instead of
performing local internet breakout.

Overlay Tunnel Orchestration

Overlay Manager Process

The Overlay Manager process is responsible for building and maintaining tunnels
between the appliances and pushing configuration settings to them. The Overlay
Manager runs in the background on the Orchestrator every 5 minutes or whenever it
detects a change in the network or configuration. The Overlay Manager works
constantly to correct any unexpected conditions. So, if an EdgeConnect becomes
unreachable or falls out of synchronization, the Overlay Manager can’t make any
changes to the appliance.

IPsec Tunnels Automatically Built

The Orchestrator pushes configuration settings to the EdgeConnect SD-WAN appliance it manages. Each appliance
establishes IPsec UDP underlay tunnels with its peers that have the same WAN interface labels. If you’re using
EdgeConnect HA with two appliances, be sure to configure them with the same site name to prevent automatic tunnel
Student Guide Page 60

building between them. After tunnels are up, you can open the Topology tab, and then hover your mouse pointer on any
line and double-click it to open a Tunnels page. This page shows overlay tunnels and their underlay tunnels.

Tunnels Tab
The Orchestrator Tunnels tab lists information, including status information, for all the overlay and underlay tunnels you
select in the Orchestrator appliance tree. Overlay tunnel names contain the name of the Business Intent Overlay.
Underlay tunnels contain the names of the local and remote WAN interface labels. Finally, the tab lists passthrough
tunnels. These aren’t IPsec UDP tunnels. They’re a mechanism for routing passthrough traffic out of a particular
interface. The appliance uses them to send local internet breakout traffic from an interface to a destination like a SaaS
provider. Passthrough tunnel names also include the label of the WAN interface from which they forward traffic.
When you look at tunnels on the topology map of the
Orchestrator, you can choose to view all overlays, a specific
overlay, or underlays with the drop-down menu, and you
see these color-coded lines:
o Red: The tunnel is down.
o Blue: This only applies to underlay tunnels that are in
the process of coming up.
o Orange: The tunnel is impaired.
o Green: The tunnel is up.
Student Guide Page 61

IPsec UDP Tunnels

Don’t forget to permit traffic for the domains, addresses, and ports the EdgeConnect SD-WAN appliances use to
establish their tunnels. Misconfigured firewalls can cause connectivity issues. If you want a complete list of all the ports
and protocols used by EdgeConnect appliances, refer to the Orchestrator and EdgeConnect TCP/IP Ports document at
https://www.arubanetworks.com/techdocs/sdwan/docs/tips/tcp-ip-ports/.
Student Guide Page 62

SD-WAN Traffic Handling

General Overlay Flow for SD-WAN Traffic
This flowchart illustrates how an EdgeConnect SD-WAN appliance determines how to handle the traffic that enters it
from the LAN:
1. Does the traffic match a Business Intent Overlay?
a. Yes: Proceed to step 2.
b. No: Determine whether the traffic matches the next Business Intent Overlay. Return to step 1.
2. Does the destination IP address match an internal subnet?
a. Yes: Proceed to step 3.
b. No: Forward the passthrough traffic per the Breakout Traffic to Internet & Cloud Services settings.
3. Does the appliance have a route to the destination IP address in its routes table?
a. Yes: Proceed to step 4.
b. No: Handle the traffic per the Peer Unavailable Option.
4. Does the appliance have an overlay tunnel that can reach the destination IP address?
a. Yes: Transmit the traffic to its destination via the overlay tunnel.
b. No: Handle the traffic per the Peer Unavailable Option.

Instructor Demo: BIO Tour SD-WAN Traffic Configuration

Your instructor may provide a live demo of this feature during class.
Student Guide Page 63

BIO Summary Screen

The Business Intent Overlays are summarized in the Orchestrator, with a row for each overlay. You can see the four
preconfigured overlays in the list: RealTime, CriticalApps, BulkApps, and DefaultOverlay. You can configure up to seven
Business Intent Overlays in Orchestrator. If you enable Regional Routing, you can expand the total number of Business

Intent Overlays by creating regional variants.

BIO List Order = Priority

The order of the Business Intent Overlays (BIOs) affects their priority. The appliance tries to match traffic with the first
BIO, then the second BIO, and so forth. Orchestrator automatically lists new BIOs at the bottom of the list. Click the = sign
in the priority column and drag an overlay up or down to change the order. So, if you’re not paying attention to the BIOs’
match criteria, you could end up routing traffic into the wrong overlay because it was at the top of the list. To delete a
BIO, you can click the X symbol below the = symbol. The X symbol is more visible if you hover your cursor over it.
You can also take advantage of this fact to limit the traffic to which the appliance applies Boost. You could use an ACL
to match the traffic you need to Boost to one BIO and put it at the top of the list, and then follow it with a second BIO
that matches the rest of the traffic and doesn’t have Boost enabled. The appliance sends traffic that matched the first
BIO to the overlay with Boost. It sends traffic that matches the second BIO in the list to the overlay without Boost.
Student Guide Page 64

BIO Configuration “Tabs”

When you click a Business Intent Overlay on the summary screen, Orchestrator displays the configuration screen for it. It
has two tabs, SD-WAN Traffic to Internal Subnets and Breakout Traffic to Internet & Cloud Services.

SD-WAN Traffic to Internal Subnets

At the top of the SD-WAN Traffic to Internal Subnets tab is the traffic match setting. It provides three options for
matching traffic to a Business Intent Overlay (BIO). The Overlay ACL is the recommended option. This window is where
you choose a full mesh or hub-and-spoke overlay topology. In the center is where you select the interfaces to use for this
BIO’s overlay. You do this by dragging and dropping from the list of available interfaces to its right. At the bottom is
where you choose the link bonding policy, which determines operational parameters for the chosen interfaces. You can
optionally configure Service Level Objectives for loss, latency, and jitter. If a WAN interface’s traffic exceeds one of these
thresholds, the appliance marks the
interface for removal from service
but keeps using it. If all primary
links exceed their Service Level
Objectives, then the appliance fails
over to its secondary or backup
interfaces. Finally, you can set QoS,
Boost, and the Peer Unavailable
Option.
Student Guide Page 65

Traffic Access Policy (Match Traffic)

The traffic match setting determines which traffic
matches the Business Intent Overlay (BIO). It has
three separate options:
• Overlay ACL: An access list the appliance uses
to match traffic to a BIO. You edit an Overlay
ACL from the Business Intent Overlays page.
• Appliance ACL: An access list that the
appliance uses for purposes that include
matching traffic to a BIO. You configure these
in the Access Lists template of a template
group in Orchestrator.
• LAN interface label: All traffic that enters this
LAN interface matches the BIO.

Three Different Wildcards Supported in ACLs

Traffic match criteria support three different wildcard values:
• | (pipe symbol): It acts as a Boolean OR between elements in a list. For example, 10.110.30.0/24 | 10.110.33.0/24.
• * (asterisk symbol): It represents any value. For example, 10.110.*.* or 192.1*6.*.254.
• - (dash symbol): It specifies a range between values. For example, 192.168.1.1-33 or 10.110.22-33.0/24.

Each BIO Has a Topology Type

One of the first things you need to decide on is the topology of an overlay network. Will it
be a mesh network or a hub and spoke network? As you can see in the illustrations, mesh
devices are all connected to all the other devices in the mesh. Spoke devices only connect
to hubs, and not to other appliances in the network. Hub devices for an overlay are
selected from the list of devices that Orchestrator manages, and a hub is a hub in all
overlays it is a part of

SD-WAN Can Scale via Regions

If you enable Regional Routing in Orchestrator, you can apply
a regional topology to each overlay. In a regional mesh
configuration, the devices in each region are fully meshed. In a
regional hub and spoke topology, the devices in each region
all connect to the hubs in their region.
You can reduce cost and complexity in large networks by
using regions. They allow you to group appliances and
establish tunnels only within their regions. Only EdgeConnect
appliances with matching region names have tunnels built
between them according to the type of topology you have selected. When you enable Regional Routing, the hub sites in
different regions that are part of the same overlay, connect to hubs in other regions. The interconnection between hub
sites in different regions is full mesh for all the hubs in the overlay, even if you select a hub and spoke configuration for
the different regions. If you don’t want to build tunnels between certain hub sites, you can give them the same site name.
Student Guide Page 66

You can learn more about Regional Routing in the Advanced SD-WAN Deployments (ASD) course.

Underlay WAN Links to Use for an Overlay

In the SD-WAN Traffic to Internal Subnets configuration, you choose primary and backup interface labels for the WAN
connections across which an overlay transports traffic. Remember, each logical overlay network makes use of IPsec UDP
underlay tunnels. You choose the underlays for this overlay when you configure the primary and backup labels.
Depending on the link bonding policy you select, you must choose at least one primary interface. The Orchestrator lists
the primary interfaces based on the list of WAN interface labels you configured.
Drag the labels you want to use as primary from the
Available Interfaces column to the Primary section and do
the same thing for backup links to be used in case the
primary links all fail. You can configure when an appliance
should mark a primary network as unusable and failover
to a backup. You do this by selecting Down or Not
Meeting Service Levels. Down indicates that an appliance
should failover to the backup interfaces only when they
are completely down. Not Meeting Service Levels allows
you to set Service Level Objectives for the primary
interfaces. If one of the criteria is exceeded, the
connection is marked for removal from service but
continues to operate. When all primary interfaces exceed
the configured Service Level Objective, then the appliance
fails over to the backup interfaces for that overlay.

Cross-Connect Groups
Cross-connect groups for primary
interfaces allow you to select the WAN
interface labels that are included in a
group. Orchestrator only attempts to
build cross-connect tunnels between
WAN interfaces with interface labels in
the same group. This is configurable on
a per-overlay basis, so they don’t all
have to be the same. Cross-connect
groups provide additional redundant
underlays via two different internet
service provider networks. This allows
for some redundancy between WAN
interfaces with different interface labels.
You can configure up to nine cross-
connect groups for an overlay.
Normally you would only build underlay tunnels between interfaces with the same WAN interface label. For example, if
you were to lose a connection from INET1 to INET1 between Site A and Site B, you could still reach Site B from Site A
with a cross-connect link between INET1 and INET2. You put those WAN interface labels into a cross-connect group
that allows the appliance to maintain connectivity using a different underlay tunnel and keep the overlay operational.
You should only add interface labels to a cross-connect group that has connections through the internet. Cross-connect
underlays between the private address space of an MPLS network and the public address space of a broadband internet
link are likely to fail.
Student Guide Page 67

Secondary Interfaces
In addition to primary and backup links, you have the option to configure
overlays to use secondary links for an additional level of failover
redundancy. If you use secondary links for a Business Intent Overlay, failover
uses the same mechanisms as with primary to backup failovers. When you
configure primary, secondary, and backup links for a Business Intent
Overlay, primary interfaces can fail over to secondary links which fail over to
backup interfaces.

Service Level Objectives

You can configure Service Level Objectives to set failover related to packet loss, latency, and jitter. An EdgeConnect
SD-WAN appliance measures packet loss as a percentage, while it measures latency and jitter in milliseconds. Each
appliance constantly measures these values and
continuously updates them. If any one of these
settings exceeds the threshold value, the appliance
marks the link for removal from service but
continues to use it. This allows the appliance to
keep using the impaired interface to the greatest
extent possible. When all primary interfaces violate
one or more of the thresholds, the appliance fails
over to its backup interfaces. The WAN interfaces
don’t need to exceed all three thresholds. If any of
the values are set to zero, then that parameter is
ignored.

Dynamic Path Control

This SD-WAN feature provides per-packet forwarding control for traffic through an overlay tunnel between
EdgeConnect SD-WAN appliances. Each Business Intent Overlay has a link bonding policy that determines how the
appliances use the component underlay tunnels of each overlay tunnel between appliances. The link bonding policies
base this forwarding control based on these two options:
• Link Quality: This option’s goal is an optimal performance with minimal delay. Each EdgeConnect SD-WAN
appliance probes the underlays to its EdgeConnect peers. It ranks the underlays based on their round-trip time,
packet loss, latency, and jitter. An appliance transmits data packets over the best-performing underlay. It transmits
the FEC packets over the next-best underlay.
• Load Balancing: This option’s goal is the transmission of large amounts of data from your organization’s sites to
other sites. It is often used for backup, replication, and file transfer traffic. The appliance transmits packets from its
WAN interfaces in a round-robin manner.
Student Guide Page 68

Path Conditioning
This SD-WAN feature has two components that help to ensure packets reach their destination:
• Forward Error Correction (FEC): The appliance transmits parity packets in addition to data packets. The remote
appliance that receives the packets uses the parity packets to reconstruct any packets that were lost during
transmission. The amount of FEC packets each EdgeConnect transmits depends on the link bonding policy of the
Business Intent Overlay the traffic matches.
• Packet Order Correction (POC): When an appliance transmits packets, those packets can take different paths to
the remote appliance. Those packets are transmitted in order, but they might arrive out of order. The remote
appliance can put the packets back in their correct order. This prevents retransmissions for TCP traffic and ensures
apps can use UDP packets in their correct order.

Link Bonding & Failover

Here is an example of a site with three connections. A Business Intent Overlay can link bond underlays together to create
a logical overlay tunnel. You can configure the overlay
tunnels in various ways to emphasize resilience or
maximize throughput. In this example, our site has a
broadband internet connection, an MPLS connection,
and an LTE connection. The Business Intent Overlay
can logically bond multiple underlay tunnels—internet
and MPLS for instance—as our primary paths. If the
internet connection goes down, the appliance can use
its MPLS connection. Only if both internet and MPLS
fail will the appliance failover to the backup LTE
interface and statefully move all the traffic over
without dropping a connection.

Link Bonding Policies

Review the following table for information about the link bonding policies you can select for each Business Intent
Overlay.
Student Guide Page 69

• High Availability: This link bonding policy is meant for use with real-time traffic like voice, video, or certain
conferencing apps that is time-sensitive. It transmits one FEC packet for each data packet. This is called 1:1 FEC.
This ensures delivery in the event of packet loss so the protocol or app can function without impairment.
• High Quality: This link bonding policy uses the best quality path for data packets and the next best path for FEC
packets. It uses Adaptive FEC. It supports The traffic often relates to user-productivity apps. This means the
appliance increases the amount of FEC packets—up to one FEC packet for every five packets—when it detects
packet loss.
• High Throughput: This link bonding policy load balances traffic across the underlays of an overlay for maximum
data transfer speeds. It also uses Adaptive FEC. These types of flows often occur in the background.
• High Efficiency: This link bonding policy does not use Path Conditioning. You might use this link bonding policy if
your WAN links are congested, so you don’t want Path Conditioning to add additional FEC packets.
• Custom: We recommend that you only use this option under the direction of your Aruba account team or the
Aruba support team. If you use this option, be sure to thoroughly test it to verify your SD-WAN won’t suffer from
unintended consequences.

Visualizing Link Bonding Policies

You can see the differences in Path Conditioning, link selection, and FEC in this diagram. We can divide them into two
sides. An overlay uses Path Conditioning for its traffic when you select the High Availability, High Quality, or High
Throughput link bonding policies on the left. When you select High Efficiency, it doesn’t apply Path Conditioning. You
can see link selection options choose the Best Quality Path on the left for High Availability and High Quality. Load
Student Guide Page 70

balancing is done for High

Throughput and High Efficiency.
Finally, an overlay uses 1:1 FEC for
High Availability and Adaptive FEC
for High Quality and High
Throughput. Adaptive FEC adjusts
the amount of parity packets based
on the amount of packet loss. High
Efficiency does not use Path
Conditioning. We recommend that
you only use this option under the
direction of your Aruba account team
or the Aruba support team.

QoS, Security, & Optimization Settings

You can configure Boost, the Peer Unavailable Option, and QoS settings for each overlay.
• Boost: Whether the appliance should apply WAN optimization to matching traffic.
• Peer Unavailable Option: How the appliance should handle a packet if it doesn’t have a route to its destination via
an overlay.
• Traffic Class: The QoS traffic class into which the appliance puts the
packet.
• LAN DSCP: The prioritization setting to use in the original packet
that an appliance will encapsulate across the WAN.
• WAN DSCP: The prioritization setting to use in the encapsulating
IPsec UDP packet’s outer IP header across the WAN.

Boost Has Two Components

Boost is the name of WAN optimization for EdgeConnect SD-WAN. It’s outbound transfer rate is limited by the lower
value of the total outbound bandwidth or the amount of Boost you apply to the appliance. Boost has two components:
• TCP Acceleration: It reduces latency caused by distance or hop count to increase throughput for TCP traffic.
• Network Memory: It reduces the congestion of WAN links to increase throughput.
Student Guide Page 71

Boost: TCP Acceleration

In this diagram, a computer requests a file from a server. The round-trip latency is 308 ms without TCP Acceleration. An
EdgeConnect SD-WAN appliance can act as a TCP proxy on behalf of a remote device by acknowledging packets within
2 ms. This allows the computer to send the remaining packets much sooner. Per the diagram, LAN devices can transmit
as fast as possible reducing round trip time down to 4 ms. Utilizing disk caching, as well as FEC and POC, the
EdgeConnect appliances ensure reliable connectivity between themselves, avoiding the need for retransmissions. TCP
Acceleration must happen between the same pair of EdgeConnect appliances because they need to keep track of
sequence numbers to perform their TCP proxy function. Also, each appliance needs a Boost license for this to work.

Network Memory: Deduplication & Compression

The Network Memory features of Boost involve the deduplication and compression of transmitted data to reduce
bandwidth requirements and congestion. EdgeConnect uses disk caching technology to perform deduplication.
Deduplication reduces the amount of bandwidth needed by eliminating duplicated data and locally caching frequently
accessed data. Deduplication and compression include byte-level data-reduction techniques for reducing data sent
across the WAN. In conjunction with compression, Network Memory dramatically reduces congestion in your network.
This happens in two phases.
During the first phase, an appliance looks at incoming packets in real time for common data sequences. For each
sequence, EdgeConnect stores the data in the local disk cache, along with a small byte fingerprint to identify the data in
the disk cache. The appliance then
transmits the data to the remote
appliance which does the same
thing before delivering the packet
to its destination.
During the second phase, when the
appliance sees the same data
sequence, it matches the data in its
disk cache. Instead of sending a
large amount of data, the appliance
sends a byte fingerprint to the
remote EdgeConnect which uses
Student Guide Page 72

much less WAN bandwidth. The remote appliance uses the byte fingerprint to look up the original data in its cache. It
then retrieves the original data from its cache and forwards it to its destination.
It’s important to note that an EdgeConnect SD-WAN appliance can’t deduplicate data that is encrypted with SSL/TLS
unless you install the necessary certificates on the appliance. This is because the EdgeConnect can’t investigate an
encrypted data stream to perform disk caching, fingerprint creation, or matching. Contact your Aruba account team for
additional information if you need to implement this feature. It is outside the scope of this course.
Also, each appliance needs a Boost license for this to work.

Allocating Licenses
Let’s now consider how much Boost is required assuming 50% of traffic receives Boost and all underlays are active.
We have a total bandwidth used by small
branches of 300 Mbps—ten appliances
times 30 Mbps. 150 Mbps is 50% of the
bandwidth. How much total bandwidth is
used by the medium branches? Ten
appliances times 80 Mbps for a total of 800
Mbps. 400 Mbps is 50% of the bandwidth.
And at the Data Center? Two EdgeConnect
appliances at 6 Gbps each for a total of
12,000 Mbps at 50% is 6 Gbps. If you add
them together, the total bandwidth of all
appliances equals 13,100 Mbps. 6,550
Mbps is 50% of the bandwidth.
How much Boost is needed? Remember,
you can purchase Boost in 100 Mbps and 10 Gbps blocks. For this example, let’s calculate this based on 100 Mbps
blocks. 6,550 divided by 100 equals 65.5. You round this up for a total of 66 blocks of Boost.

Peer Unavailable Option

The Peer Unavailable Option handles two situations an SD-WAN can encounter. In each situation, the EdgeConnect
appliance lacks a route via an overlay to transmit a packet to an internal destination network. This feature also attempts
to use a passthrough connection to the destination network. These are the options for this feature:
• Use Best Route: The appliance determines the best route to the destination and forwards the traffic as
passthrough traffic. This excludes the use of routes the appliance learned from subnet sharing because they
require an overlay. Remember that passthrough traffic is unencrypted which can be a security risk. Be sure to
determine whether you can safely use this option.
• Use <WAN interface label>: The appliance forwards the traffic as passthrough traffic from the WAN interface you
specify. Remember that passthrough traffic is unencrypted which can be a security risk. Be sure to determine
whether you can safely use this option.
Student Guide Page 73

• Drop: The appliance must drop the traffic.

QoS Settings per BIO

The Traffic Class is part of the QoS configuration for the
overlay. It determines into which shaper traffic class the
appliance should put packets. It affects the automatic
creation of QoS policies on the appliance. The Shaper
controls the prioritization behavior of the individual
traffic classes. You can also set the DSCP settings here.
LAN DSCP sets the bits in the payload packet’s IP
header. WAN DSCP sets the bits in the encapsulating
packet’s IP header that the upstream service provider’s
equipment will see. You can best manage Shaper
configuration via its template that the Orchestrator can
apply to appliances.

BIO Can Trust or Set Both DSCP Markings

Here’s an example of how DSCP markings work in a QoS policy.
On the left we see a packet come in from the LAN. The EdgeConnect is configured for QoS to trust-lan on the LAN side
and to set DSCP markings to CS5 on the WAN side. The EdgeConnect puts the packet into the tunnel. The LAN packet
continues as EF. The outer header of the encapsulating packet is marked as CS5 because of the WAN DSCP setting.
When the packet arrives at the remote end, the appliance removes the outer header and processes the packet based on
the DSCP configuration of the devices at the remote site.
Student Guide Page 74
Student Guide Page 75

Internet & Cloud Services Traffic Handling

General Overlay Flow with Internet Breakout
You learned about this flowchart earlier for SD-WAN overlay traffic. Here the flowchart relates to breakout traffic. If the
appliance doesn’t find a packet’s destination IP address in the Internal Subnets Table, it forwards the traffic to its
destination based on the breakout traffic settings for the matching Business Intent Overlay.

Instructor Demo: BIO Tour Breakout Traffic Configuration

Your instructor may provide a live demo of this feature during class.

Breakout Traffic to Internet & Cloud Services Tab

An EdgeConnect SD-WAN appliance forwards traffic that doesn’t match an internal subnet using one of these options:
• Break Out Locally: Send the traffic to the
internet based on the local internet
breakout settings you’ve configured.
• Backhaul Via Overlay: Send the traffic to
a hub appliance that will perform local
internet breakout.
• Forward to a Cloud-hosted Security
Service: Send the traffic to a point of
presence for a service like Zscaler.
Student Guide Page 76

BIO Utilizes First Packet iQ to Enable Granular Internet Breakout

When an EdgeConnect SD-WAN appliance receives a packet, it uses its First-packet iQ feature to identify what type of
traffic it is. Appliances use this feature to match traffic to Business Intent Overlays (BIOs). The BIO determines how the
appliance handles matching traffic.

Breakout Traffic to Internet & Cloud Services

The Breakout Traffic to Internet
& Cloud Services tab is for
configuring the Preferred Policy
Order and local internet
breakout settings.

Different Policy Settings for Hubs & Spokes

It’s possible to have different policy settings on hubs and spokes in your SD‐WAN. The branch settings apply to all
devices unless you click on a hub. This brings up the configuration for that hub, which allows you to configure different
settings from the branch office sites that are not hubs. One use for this is to make it easy to configure all the branches to
backhaul all traffic to the hub sites, and then configure the hub site to allow local internet breakout. At the hub site, you
might have next-generation firewalls that can inspect outgoing and incoming traffic.
Student Guide Page 77

At any time, you can check the box to revert the hub to use the branch settings by checking the box that says Use
Branch Settings. In the example shown here, branches backhaul all traffic, but the ECV‐4 hub can break out traffic locally.
ECV‐4 would probably advertise a default route to the branches to attract traffic that needs to be broken out to the
internet.

Global IP SLA: Are External Networks Reachable?

You configure a global IP SLA to detect whether WAN-
side interfaces can reach the internet. This contains a list
of destinations the appliance can ping or connect to via
HTTP/HTTS to detect reachability. If no destinations are
reachable, then the appliance won’t use local internet
breakout, and the action it takes depends on the
Preferred Policy Order.
Note: Because our lab environment is actually not
connected to the internet on the WAN side, we are
mimicking the internet reachability using the 10.110.x.x
addresses.
Default IP SLA Addresses are:
• sp-ipsla.silverpeak.cloud
• 8.8.8.8
• 8.8.4.4
Student Guide Page 78

Link Selection & Performance Thresholds

Waterfall and Balanced are the two link selection options for
breakout traffic. The Waterfall option sends traffic over the
internet-connected WAN interface with the highest rank.
EdgeConnect determines this rank based on the Rank Links By
option you choose. The Waterfall option transmits flows via this
WAN interface until it almost reaches full utilization. At that point,
the appliance “waterfalls” successive flows to the next-highest
ranked internet-connected WAN interface. The Balanced option
performs a round robin of flows between internet-connected WAN
interfaces if you’ve configured the Business Intent Overlay to use
more than one such interface for internet breakout.
The Performance Thresholds for internet breakout traffic are similar
in concept to the Service Level Objectives for overlay tunnel traffic.
Normally, if internet-connected WAN interfaces go down, then the
appliance uses the backup interfaces you’ve configured. However, if
you select Exclude Links That Are Below Performance Thresholds,
the appliance switches from primary to backup links if traffic exceeds the loss, latency, or jitter values for all primary
interfaces.

Apply Overlays Tab: Manual Changes

It’s possible to manually add or remove Business Intent Overlays (BIOs) from appliances on the Apply Overlays tab.
Select the appliances
in the Orchestrator
appliance tree, and
then check the add
or remove boxes for
the BIOs. This is also
a useful place to see
which overlays an
appliance already
has.
Student Guide Page 79

Back Up, Restore, & Image Management

Backup
The Orchestrator allows you to manage the backup and restoration of
both the Orchestrator database and EdgeConnect appliance
configurations. The Orchestrator backs up the appliances’ configurations
to the Orchestrator database. When the Orchestrator backup runs, it
backs up each EdgeConnect configuration if it has saved changes that
have not been backed up previously. All the backups are labeled and
time-stamped. The Orchestrator backs up its configuration and database
to another server via FTP, SCP, HTTP, HTTPS, or SFTP.

Orchestrator Backup & Restore

You configure regular backups as part of the
Orchestrator Getting Started Wizard. You restore the
Orchestrator database with a manual process from the
Orchestrator CLI. Review the Orchestrator release notes
for the manual recovery procedure.

Orchestrator Restore
If you need to restore Orchestrator, review the
Orchestrator release notes for the correct procedure for
that version of software.
It must be done via the CLI.

Appliance Restore
You restore an EdgeConnect SD-WAN appliance from the Orchestrator
web interface. When you start to restore an EdgeConnect, Orchestrator
only lists the relevant backups from the appliance you selected in the
Orchestrator appliance tree. Although Orchestrator can back up multiple
appliances simultaneously, it can only restore one appliance at a time.
Select the backup image that you want and click Restore.
Student Guide Page 80

RMA Wizard: Restore a Replacement Appliance

If you need to perform an RMA for an appliance, a wizard is available to automate the process for you. You need to install
the replacement appliance into the network. When the Orchestrator discovers the replacement appliance, you can select
the EdgeConnect to be replaced in the appliance tree, and then run the RMA wizard. The RMA wizard is available in the
Support tab. It walks you through the replacement process. You’re prompted to select a previous backup from the failed
EdgeConnect to use as a starting configuration for the replacement appliance.

Orchestrator Upgrade via CLI

You perform an Orchestrator
upgrade from the
Orchestrator CLI.
You should always refer to the
release notes for that version
to ensure all requirements are
met.
Student Guide Page 81

Upgrade EdgeConnect Software

You upgrade the ECOS software of your EdgeConnect SD-WAN appliances from Orchestrator.
You can click an image in the Select ECOS
Image field of the Upgrade Appliances page or
upload an ECOS image you’ve downloaded
from another computer. If you have a
download URL from Aruba support, you can
use it as another way to obtain an ECOS
image. Select EdgeConnect appliances in the
Orchestrator appliance tree to make them
appear in the Target Appliances field.
Orchestrator installs the ECOS image you
select to these appliances. The Upgrade
Options tell the appliances what to do after
the upgrade finishes:
• Install and reboot: This option installs
the ECOS image to the EdgeConnect appliance’s inactive partition. The EdgeConnect then reboots to activate the
new ECOS image.
• Install and set next boot partition: This option installs the ECOS image to the appliance’s inactive partition. The
EdgeConnect sets the inactive partition to become active after the next reboot.
• Install only: This option only installs the ECOS image to the appliance’s inactive partition without any further action.
Student Guide Page 82

Monitoring
Traffic Directionality: Inbound vs. Outbound
Unlike a traditional router, an EdgeConnect SD-WAN appliance has a very defined set of interface sides—a LAN side and
a WAN side. LAN traffic relates to all the devices of your Local Area Network. WAN is traffic on that side. The WAN side
also includes your other SD-WAN sites. EdgeConnect appliance traffic has distinct inbound and outbound traffic
directionality. Inbound traffic always goes from the WAN to the LAN. Outbound traffic always goes from the LAN to the
WAN. Many times graphs, charts, and tables refer to flows’ inbound and outbound traffic.
Here is a useful summary:

• Inbound LAN: Traffic from the appliance to the LAN

• Inbound WAN: Traffic from the WAN to the appliance
• Outbound LAN: Traffic from the LAN to the appliance
• Outbound WAN: Traffic from the appliance to the WAN
Student Guide Page 83

Flow Monitoring
You can monitor traffic from the Active & Recent Flows feature, or Flows tab. The Flows tab helps you to understand
traffic flows, especially if you need to troubleshoot an issue. You can view flows for one or more appliances. You can click
a flow’s Chart icon to see a real-time flow bandwidth chart. If you click the Detail icon, it displays detailed information
about a specific flow.

Flow Details
A flow details page contains critical information that helps you to diagnose problems. These are the main parts of a flow
details page:
• General tab
 Route section: It provides information
about the flow, including the route policy
the flow matched. Route policies
determine the destination of a flow. If your
flow isn’t going to the correct destination,
then this section helps you determine the
reason.
 Stats section: It provides detailed
numeric information about the flow.
 QoS section: It provides the QoS policy
that put the flow into a traffic class. If your
traffic isn’t being prioritized properly and
has been subject to drops or delays, you
can look here to determine the reason.
 Security section: It provides how the zone-based firewall applies security policies to a flow.
 Segments section: It provides information about routing segmentation (VRF) if you’re using it.
• Optimization tab: It provides the matching optimization policy and related Boost information.
• NAT tab: It provides source and/or destination network address translation information.
Student Guide Page 84

Flow Detail Stateful + SNAT

On the NAT tab of a flow details page, you can see source
NAT (SNAT) and destination NAT (DNAT) information.
This includes the WAN SNAT section that lists the public IP
addresses and port numbers that were used when the
appliance translated a packet’s source IP address. This tab
is useful if you’re troubleshooting a related issue. IP address
and port translation can occur on WAN interfaces and
across EdgeConnect HA links. So, if a flow traverses an HA
link before the internet breakout occurs, it could result in
double NAT.

Look at the Flow: Security

Flows with red text
indicate that an
appliance dropped its
traffic. Click the flow
details icon to learn
more about what’s
why the appliance
dropped the traffic.
The Security section
of the flow details
shows whether the
appliance allowed or denied a flow and the related security policy. EdgeConnect has two implicit policies:
• Intra‐zone traffic: Traffic within the same zone is always allowed.
• Inter-zone traffic: Traffic between two different zones is always denied unless you specify a security policy to allow
it.
Student Guide Page 85

Health Map
The Health Map provides a color-coded hourly status for each selected appliance. If you click any of the hourly status
cells, it shows the alarms and configured threshold settings of that appliance.

Overlay Traffic Distribution

Tunnel Bandwidth Pie Charts can show you the distribution of traffic through the different overlays. Other types of pie
charts, graphs, and tables are also available. We invite you to explore them in the Monitoring menu of the Orchestrator.

Which Applications Are Using Bandwidth?

Built-in reports can show you which applications are using bandwidth in your network. The ratio of dark bars (WAN) to
light bars (LAN) on the inbound and outbound side also gives you a view of the reduction of data traffic sent between
EdgeConnect peers. Orchestrator also shows this as a percentage on either side of the bar graphs.

Loss: Pre-FEC & Post-FEC

The Loss tab can show you the amount of packet loss a receiving appliance reports, and how well FEC corrects that loss.
The green bar shows the actual pre-FEC packet loss for received packets. The orange bar shows the effective post‐FEC
loss—the remaining loss after the appliance applies FEC.
Student Guide Page 86

Appliance Charting from Orchestrator

You can view appliance charts that show real-time information or information from a specific date range and time.
Orchestrator provides many options from the menu on the left.

Configuring Reports: Orchestrator

You can create custom reports with Orchestrator. You
can schedule the reports to run at specific intervals and
times or on demand. Each report can include various
information that the appliances record. You select
appliances in the appliance tree of Orchestrator and
then click the Use Tree Selection button to include their
data. After Orchestrator generates a report, it can email
it to a recipient.
Student Guide Page 87

Aruba EdgeConnect SD-WAN Systems Status

It’s important that you can determine the operational status of
Aruba EdgeConnect Enterprise systems. You can view this
information at the website, https://status.silverpeak.cloud.
Student Guide Page 88

Logging
Logging Overview: Orchestrator
Orchestrator’s Audit Logs and the Orchestrator Debug can be useful while working with Aruba EdgeConnect SD-WAN
support.
• Audit Logs: An aggregate of appliance logs shown in Orchestrator. You can set a filter for an appliance, a date
range, or a user account.
• Orchestrator Debug: A pop-up window with many tabs. Though you might understand some of the entries of
these features, especially the Audit Logs, we mostly want you to understand how to access these features in case
you need to work with the support team.

Log Viewer (Appliance)

The Log Viewer displays logs the appliance has recorded:
• Event: Process-generated system events
• Audit: User-initiated actions
• Alarm: System-generated alarms
• Node: REST API calls
• Firewall: Traffic the zone-based firewall
denies and drops
Student Guide Page 89

Alarm Alerting
You can configure Orchestrator to send alarm-generated emails to recipients. You control the severity level of the alarms
that generate emails. You can also select alarms to acknowledge and clear them. You cannot clear some types of alarms.

Flow Export: NetFlow / IPFIX

EdgeConnect appliances support NetFlow and IPFIX reporting. They
send statistics directly to one or more collectors, not the Orchestrator.
You configure them via the Flow Export template and can view the
appliances that use it with the Flow Export feature. You might notice
the collectors report using two virtual interfaces, sp_lan and sp_wan.
Traffic flowing through the LAN interfaces is reported against sp_lan.
Traffic flowing through the LAN interfaces is reported using sp_wan.
The WAN export reports on the flows that are going through the
tunnel, not the tunnel packets. This means that it reports on the
packets destined for the tunnel before encapsulation and transmission
across the WAN.

Remote Log Receivers

You can choose between sending your data between the following different types of receivers: HTTP, HTTPS, Kafka,
Syslog, and WebSocket.
Each remote log receiver
uses a different mechanism
to support asynchronous
notifications. After you
select which remote log
receiver you want to use,
you can configure specific
settings for it.
Student Guide Page 90

Working with Technical Support

How to Get Help
Be sure that you have a support account in case you need to work with Aruba EdgeConnect SD-WAN support. You can
find the Aruba Support Portal at https://asp.arubanetworks.com. If your SD-WAN or appliance is down, be sure to make
a phone call for the fastest possible support. You should collect information about the issue that you can provide to the
support team so they can troubleshoot the issue. You can view the status of support cases from this support portal.

Contact Technical Support

From the Support menu of the Appliance Manager, the Technical Support page provides this information:
• Technical Support
 Appliance model
 Appliance serial number
 ECOS release version
• Contact information
 Support website
 Support email address (Use this for most support issues.)
 Support phone numbers (Use this for urgent, network-down
issues.)
• Documentation website
Student Guide Page 91

Many Resources from Appliance

If you need technical support, in addition to Technical
Support contact information, you can access additional
tools and user documentation from the Support menu of
an appliance.

Tech Support – Appliances

The Tech Support – Appliances page provides you with these functions:
• Create a support case
• Generate a Sys Dump file
• Securely upload selected files to support
• Download selected files to the Orchestrator
The support team will often need a Sys Dump file to analyze the issue. It contains things like the appliance configuration,
software version, and log files.

Tech Support – Orchestrator

The Tech Support – Orchestrator page provides you with these functions:
• Create a support case
Student Guide Page 92

• Securely upload selected files to support

• Download selected files to your local computer
You can select a file type filter so it’s easier to find the files you need. You can also upload files to support using Upload
Local Files from Orchestrator’s Support menu.

Documentation
Always consult the Aruba EdgeConnect Enterprise documentation. All documentation is available online without the
need to log in. Aruba EdgeConnect SD-WAN documentation is available at the following website:
https://www.arubanetworks.com/techdocs/sdwan/
Student Guide Page 93

Software and Documents Search

If you need to locate specific documentation, you can set a
filter for Aruba EdgeConnect Enterprise, and then search
from the Software and Documents section of the Aruba
Support Portal website:
https://asp.arubanetworks.com/downloads
Student Guide Page 94

Conclusion
AASP Assessment Overview
As a reminder, this course supports the Aruba Accredited SD-WAN Professional (AASP) accreditation assessment. You
can enroll in the assessment at this URL:
https://inter.viewcentral.com/events/cust/cust_tracks.aspx?company_login_id=aruba&pid=1&track_id=43
Note this information about the AASP assessment:
• 1-hour time limit
• Open-book assessment
• 40 multiple-choice questions
• Minimum passing score of 70%
• If you do not pass the assessment twice, you must wait 1
week before your next attempt

Thank You
Thank you for choosing EdgeConnect SD-WAN for your organization. We hope the information from this course serves
you well.