Professional Documents
Culture Documents
202 DST STUDENT GUIDE 9.0.4 9.0.3 v3.1
202 DST STUDENT GUIDE 9.0.4 9.0.3 v3.1
Trademark Notification
The following are trademarks of Silver Peak (acquired by Aruba, a Hewlett Packard Enterprise
company, in 2020): Silver Peak SystemsTM, the Silver Peak logo, Network Memory™, Silver Peak NX-
Series™, Silver Peak VX-Series™, Silver Peak VRX-Series™, Silver Peak Unity EdgeConnect™, Silver
Peak Orchestrator™, Aruba EdgeConnect™, Aruba Orchestrator™, and Aruba Boost™. All trademark
rights reserved. All other brand or product names are trademarks or registered trademarks of their
respective companies or organizations.
http://training.silver-peak.com
Table of Contents
Lab 1: Orchestrator Installation and Initial Configuration ................................... 4
Lab 2: Orchestrator Getting Started Wizard ........................................................ 15
Lab 3: Configure Groups and Labels .................................................................... 20
Lab 4: Configure Deployment Profiles ................................................................. 22
Lab 5: Configure a Template Group ...................................................................... 28
Lab 6: Introduction to Business Intent Overlays ............................................... 32
Lab 7: Complete the Configuration of ECV-1, ECV-2, and ECV-4 ..................... 39
Lab 8: Approve ECV-1, ECV-2, and ECV-4 from the Orchestrator .................... 45
Lab 9: Modify BIO Settings .................................................................................... 61
Lab 10: Install ECV-5 from an OVA File .................................................................. 71
Lab 11: Configure ECV-5 with Appliance Preconfiguration ................................. 76
Lab 12: Configure Traditional HA ............................................................................ 83
Lab 13: Monitor Flows .............................................................................................. 87
Lab 14: Configure a Report ...................................................................................... 94
Lab 15: Use Troubleshooting Tools ...................................................................... 101
Appendix A: Solutions to Common Issues ................................................................... 104
Appendix B: DST Lab Topology ..................................................................................... 106
Appendix C: Summary of Orchestrator and EC-V Appliances ................................... 107
Appendix D: User IDs and Passwords Lab Access Code .......................................... 108
INSTRUCTOR:
• Ask the students to use Zoom’s raise hand feature to indicate they are working on a lab.
• Ask the students to turn off Zoom’s raise hand feature to indicate they have completed the lab.
Objectives
Instructions
Task 1: Review the text formatting conventions
1. The instructions in this student guide use these formatting conventions:
This text indicates an item that you click with your mouse buttons.
This text indicates text that you type with your keyboard.
This text indicates information that cautions you about a potential issue.
a. Opening and closing tabs in a web browser: You use Google Chrome on the
Landing Desktop PC during the DST labs. Enter CTRL+T to open a new tab.
c. Copying and pasting text and files: Enter CTRL+C to copy. Enter CTRL+V to
paste.
3. As you work with this student guide, be sure to follow all of the written instructions.
4. Screenshots provide additional context and are not a replacement for the written
instructions.
5. In the event that an image differs from written instructions, always follow the written
instructions.
6. As you follow a task’s steps, be aware that additional information might be on the
next page.
Google Chrome version 96 was used while creating this student guide, but other web
browsers that support HTML5 should also work.
If your web browser doesn’t support HTML5, you might see a message about
upgrading it and a link to the non-HTML5 ReadyTech portal. If you choose to use the
non-HTML5 ReadyTech portal, follow the its instructions.
Caution: When you log in to the ReadyTech environment, be sure that you do not
set a password, otherwise you can potentially lock yourself out of your lab.
b. Password: Speak-123
19. From the ReadyTech instructor-led portal Desktop menu, choose a view option:
Best fit, Scale to fit, or Full screen mode. Enter ESC to exit full-screen mode.
b. Password: Training1!
23. If necessary, click Navigator on the left side to expand this section.
24. Click Virtual Machines. You should see 13 virtual machines (VMs).
31. Click Next on the Select OVF and VMDK files window.
a. Network mappings: VM
Network:
SW 01 - Management
b. Disk provisioning:
Thick
c. Power on automatically:
Selected
36. While Orchestrator installs, you should see these two tasks in the Recent Tasks
section of VMware ESXi. If the Recent Tasks section is visible at the bottom of the
window, and you don’t see these tasks, notify your instructor:
b. Import VApp
While you wait for the Orchestrator VM installation to finish, complete this task.
39. Review page 1 of the DST Lab Topology. The gold ovals (e.g. SW 02) are vSwitch
port groups in VMware ESXi that connect virtual machines (VMs) to one another.
You connect from the Landing Desktop PC to the other VMs via the
SW 01 - Management vSwitch port group.
b. Which IP address will you assign to Orchestrator after you install it?
192.168.1.254
41. Review page 2 of the DST Lab Topology. This page provides information about the
Orchestrator and EC-V appliances. During the labs, if you have difficulty locating
information about a VM, you can refer to this page.
42. Review page 3 of the DST Lab Topology. This page provides user IDs and
passwords for the VMs you interact with during the DST labs.
If you need to enter commands in a VMware console window, and it displays incorrect
characters, you can find instructions on non-US keyboard setup and using the
on-screen keyboard in Appendix A: Solutions to Common Issues.
44. Right-click the name of the Orchestrator VM, and then click Console > Open console
in new tab.
a. User: admin
b. Password: admin
Caution: In the following steps, ensure that you use the password Speak-123 for
the Linux admin and root accounts. Otherwise, you can accidentally lock
yourself out of Orchestrator. We cannot perform password recovery for
Orchestrator in the ReadyTech environment.
50. After your enter the new passwords, Orchestrator displays the message
Successfully updated passwords.
g. IP address: 192.168.1.254
h. Netmask: 255.255.255.0
i. Gateway: 192.168.1.253
54. The orch-setup utility shows the message Restarting network. This may take a
while.
58. Right-click the gray bar between Virtual machine and Status.
a. Used space
b. Guest OS
c. Host CPU
d. Host memory
a. IP address
63. In the list of virtual machines, verify the IP address for the Orchestrator is
192.168.1.254.
If the status of a VM is Warning, click Refresh above the list of virtual machines. The
status should change to Normal. This is only a cosmetic issue.
Review
Answer the following questions:
3) Why did you connect the Orchestrator to the SW 01 - Management vSwitch port group?
To ensure connectivity via the out-of-band management network.
Instructor:
• Cancel unused lab codes before the first 3 hours of class have passed.
You access the Orchestrator from a web browser. From the web interface, you
complete the Getting Started Wizard to register the Orchestrator with Cloud Portal and
to configure an email server and a backup server.
Objectives
Instructions
Task 1: Generate an Account Name and Account Key for the
Orchestrator and EdgeConnect virtual appliances
1. On the Landing Desktop PC’s taskbar, click the Show Desktop icon .
The Orchestrator and EC-V appliances of an Aruba SD-WAN all use the same account
name and account key.
If you close the License.txt file, you can open it again from the Landing Desktop PC’s
desktop.
6. Open a new tab in Google Chrome, and then click the Orchestrator bookmark.
Alternatively, you can enter https://192.168.1.254 into the address bar.
7. Click Advanced on the Your connection is not private window, and then click
Proceed to 192.168.1.254 (unsafe).
b. Password: admin
9. Click Login.
a. Password: Speak-123
b. Confirmation: Speak-123
13. If Orchestrator notifications appear in the upper-right corner (e.g. Generate New
Key Now), click Close, Dismiss, or Don’t Show Again.
Caution: During the DST labs, if some screens or web interface elements extend
outside the viewable area of the Landing Desktop PC, modify the zoom level of
its Google Chrome web browser. Click CTRL + + to zoom in. Click CTRL + - to
zoom out. Click CTRL + 0 to restore the zoom level to 100%.
14. Select the EdgeConnect box under Select Products on the License and
Registration tab.
15. Copy the account name from the License.txt file, and then paste it into the
Account Name field.
16. Copy the account key from the License.txt file, and then paste it into the Account
Key field.
g. Server Port: 25
k. Click Test to the right of the Send a Test Email to field. You should see this
message at the bottom of the screen. If the test isn’t
successful, verify the settings.
a. Protocol: FTP
b. Hostname: 192.168.1.200
c. Username: anonymous
d. Password: Speak-123
e. Directory: /GMS
f. Port: 21
22. Click Test to below Max backups to retain. If the test not successful, verify the
settings. If the test is successful, Orchestrator shows a success message.
a. Frequency: Weekly
b. Day: Saturday
c. Time: 08:00
You turn off this setting for the DST labs to prevent numerous software release
notifications from opening in Orchestrator. In a production SD-WAN, you don’t need to
turn off this Orchestrator setting.
You might need to dismiss new software release notifications if they appeared before
you set that setting to false. After you do this, additional new software release
notifications won’t appear.
Review
Answer the following questions:
1) What is the difference between the Linux admin and root accounts and the Orchestrator
admin account?
The first two are Linux accounts. The third is the admin account for the Orchestrator service that runs on Linux.
You configure groups in the Orchestrator’s tree view to organize the EdgeConnect
appliances it will manage. The interface labels you create on Orchestrator make it easy
to identify an EdgeConnect appliance’s interfaces. You can use LAN interface labels as
overlay match criteria. You use WAN interface labels so that your SD-WAN knows
between which WAN interfaces on peer EdgeConnect appliances to establish underlay
tunnels.
Objectives
Instructions
Task 1: Rename Group 1 to Site 1 - Singapore
1. From Orchestrator’s tree view, right-click Group 1, and then click Rename.
The student guide provides detailed instructions the first time it presents a topic. Then,
it refers you back to previous instructions. This approach helps those with different
learning styles by providing step-by-step instructions but also allowing others to recall
the instructions. If you make a mistake, refer back to the
instructions to correct your error.
Caution: Don’t delete any of the preconfigured interface labels, because you use
them during the DST labs.
Orchestrator comes with preconfigured LAN and WAN interface labels. The LTE (Hub
& Spoke) label’s topology indicates that regardless of an overlay’s topology, the WAN
interface with this label only establishes an underlay to a hub EdgeConnect. In this lab,
you change this setting to make cross-connect underlays possible in a later lab.
9. Click the edit icon for the LTE (Hub & Spoke) WAN interface label.
10. Click the Topology drop-down list, and then click any.
Review
Answer the following questions:
Objectives
Instructions
Task 1: Create the Hub Site deployment profile
You modify the preconfigured MPLS + Internet + LTE Branch deployment profile, and
then save it with a different name to create the Branch Office deployment profile.
You apply the Hub Site deployment profile to ECV-1 at Site 1 - Singapore in a later lab.
4. Under LAN Interfaces, below interface lan0, click +IP to add a sub-interface.
a. wan0: MPLS1
b. wan1: INET1
c. wan2: LTE
b. wan1: Stateful+SNAT
c. wan2: Stateful+SNAT
10. Verify the NAT Flag setting for each WAN interface:
In a production SD-WAN, you would configure the NAT Flag setting for the internet and
4G LTE interfaces when upstream devices perform NAT. In this training lab, this isn’t
necessary.
12. Click ∑ Calc to set the Total Outbound and Total Inbound WAN bandwidth
settings to 18,000 each.
You modify the Hub Site deployment profile, and then save it with a different name to
create the Data Center deployment profile.
You apply the Data Center deployment profile to ECV-4 and ECV-5 at Site 3 – Santa
Clara in a later lab.
You modify the DataCenter deployment profile, and then save it with a different name
to create the MPLS Branch Office deployment profile.
You apply the MPLS Branch Office deployment profile to ECV-2 at Site 2 – Mumbai in
a later lab.
a. Hub Site
c. Data Center
Review
Answer the following questions:
2) Why are the IP address and next-hop fields of a deployment profile inactive?
To avoid duplicate IP address issues. Configure them with appliance preconfiguration or the deployment window.
Objectives
Instructions
Task 1: Configure the Default Template Group
During this lab, you choose templates to include in the Default Template Group. In a
later lab, you apply the Default Template Group to the EdgeConnect appliances. This
allows you to these settings once, and then apply them to each of the appliances. This
reduces the risk of incorrectly configuring settings and saves time.
3. Click and drag these templates from the Active Templates column to the Available
Templates column to remove them from the Default Template Group:
a. SNMP
b. Admin Distance
c. Shaper
a. User Management
a. DNS
b. Date/Time
c. User Management
d. Management Services
e. Session Management
The DNS and Management Services templates already have the necessary settings.
a. Click the X to the right of the pre-configured NTP server to delete it.
c. Click Add.
Server: 192.168.1.151
Version: 3
The K1-MPLS WAN emulator VM acts as the NTP server in the ReadyTech
environment.
Review
Answer the following questions:
1) What is a template?
You configure settings in a template that Orchestrator applies to multiple appliances.
You configure Business Intent Overlays (BIOs) on Orchestrator to define how the
EdgeConnect appliances link-bond IPsec UDP underlay tunnels and apply other
settings for them to work together as logical overlay tunnels. You can only create and
configure BIOs on Orchestrator, not directly on EdgeConnect appliances.
Objectives
Instructions
Task 1: Review the Business Intent Overlays summary window
1. From Orchestrator, open the Business
Intent Overlays tab. (Configuration >
[Overlays & Security] > Business Intent
Overlays)
Caution: Do not delete any BIOs during this course. Orchestrator doesn’t include
an undo option that can replace any BIOs that you delete.
RealTime
CriticalApps
BulkApps
DefaultOverlay
Overlay name
Aside from their Overlay ACL match criteria, the preconfigured BIOs all have the same
settings until you modify them.
3. Click in the Overlay or SD-WAN Traffic to Internal Subnets columns for the
RealTime BIO. Orchestrator shows the BIO’s name, match setting, and region at the
top of the window. It also shows a tabbed interface with settings traffic that matches
an internal destination network.
4. Click the Match drop-down list. What are the three options for matching traffic to an
overlay?
Overlay ACL (recommended best practice), LAN Port, and Appliance ACL (general-use access list).
5. Click the edit icon next to the match criteria field. Orchestrator shows the
Associate ACL window.
6. Review the rules that determine which traffic matches the RealTime overlay.
9. Repeat steps 3-7 for the Critical Apps BIO, and then the BulkApps BIO.
The preconfigured RealTime, CriticalApps, and BulkApps BIOs match specific types of
traffic and apply specific settings to them. The DefaultOverlay BIO matches all other
types of traffic. This ensures an EdgeConnect provides SD-WAN optimization to all
internal traffic (i.e. non-internet traffic).
13. Review all of the settings on the SD-WAN Traffic to Internal Subnets tab.
15. The INET1, INET2, and LTE interfaces are members of the
Group1 cross-connect group. Why does Orchestrator make
these interfaces members of the cross-connect group but not the
MPLS interfaces?
Cross-connect groups establish additional underlays between peers’ WAN interfaces. EC must route between providers.
16. By default, when does an overlay switch from its primary interfaces to its
secondary or backup interfaces?
It switches when the primary interfaces are all down.
When an interface does not meet a service level objective, EdgeConnect marks it for
removal from service but continues to use it. When all of the interfaces don’t meet a
serivce level objective, then it switches over to the next tier of interfaces. Failover
happens in this order Primary > Secondary (if used) > Backup. If you restore service to
one or more higher-tier interfaces, the overlay switches back to them again.
18. At this point, use the default SD-WAN Traffic to Internal Subnets settings for all
four preconfigured BIOs.
EdgeConnect follows the Preferred Policy Order for traffic with a destination IP address
that isn’t in the table on the Internal Subnets window. By default, the Preferred Policy
Order lists Break Out Locally, Backhaul Via Overlay, and Drop. EdgeConnect uses the
interfaces shown on this tab because Break Out Locally is in the Preferred Policy
Order. Backhaul Via Overlay sends the traffic to another EdgeConnect that performs
local internet breakout.
21. By default, the Preferred Policy Order has Break Out Locally at the top, Backhaul
Via Overlay next, and Drop at the bottom. Answer the following questions:
a. When EdgeConnect receives traffic destined to the Internet, how does it forward
the traffic?
It breaks out the traffic locally using INET1 or INET2.
b. If an EdgeConnect is unable to locally break out the traffic, how does it forward
the traffic?
It refers to its routes table to determine which overlay to use to forward it to another peer to reach the destination IP.
c. If an EdgeConnect is unable to locally break out the traffic or backhaul the traffic
via an overlay, how does it handle the traffic?
It drops the traffic.
During this task, you configure a global IP SLA that applies to all of the overlays.
EdgeConnect appliances use this IP SLA to verify that the Internet is reachable in order
to perform local internet breakout. If the targets you specify in the IP SLA are not
reachable, EdgeConnect refers to the next option in the Preferred Policy Order. If no
other options are present, then it uses the Drop option.
22. Click the edit icon next to Break Out Locally Using These Interfaces.
23. Delete sp-ipsla.silverpeak.com, 8.8.8.8, and 8.8.4.4 from the Address field.
24. Enter these IP addresses in the Address field with a comma but no spaces between
each one: 10.110.104.1,10.110.105.1,10.110.116.1.
25. Review the DST Lab Topology, and then answer these questions:
a. Can ECV-1, ECV-2, and ECV-4 ping the 10.110.104.1 or 10.110.116.1 internet
gateway addresses?
ECV-1 can ping 10.110.104.1. ECV-2 can’t ping any of them. ECV-4 can ping 10.110.116.1.
b. Can ECV-1, ECV-2, and ECV-4 ping the 10.110.105.1 LTE gateway address?
Only ECV-1 can ping the 10.110.105.1 LTE gateway address.
At this point, Orchestrator has the four preconfigured BIOs. All of the BIOs now use the
global IP SLA that monitors 10.110.104.1, 10.110.105.1, and 10.110.116.1. However,
you have not yet added EdgeConnect appliances to your SD-WAN, so the BIOs are not
yet in effect.
Review
Answer the following questions:
4) What are the default monitoring addresses for local internet breakout?
sp-ipsla.silverpeak.cloud, Google Public DNS (8.8.8.8, 8.8.4.4).
Objectives
Determine the MAC addresses of each VM’s network adapters in VMware ESXi
Instructions
Task 1: Become familiar with VMWare ESXi vSwitch port groups
1. Unless it is already open, add a new tab in Google Chrome on the Landing
Desktop PC, and then open the DST Lab Topology bookmark.
2. Review the DST Lab Topology diagram. The gold-colored ovals represent the
vSwitch port groups to which each VM connects that allow them to communicate
with one another. Think of the vSwitch port groups like a physical switch that has
devices connected to it with cables. VMware ESXi uses virtual network switches, or
vSwitches, to interconnect its VMs. Each vSwitch has a port group. The port group
defines how the interfaces of each VM connect to a vSwitch.
5. In the Hardware
Configuration section,
click the disclosure
triangle next to each of the
five network adapters to
show their settings.
ECV-1 Information
1 SW 01 - Management mgmt0
2 SW 02 lan0
3 SW 03 wan0
4 SW 04 wan1
5 SW 05 wan2
ECV-1 is already installed, but not completely configured. The next few steps show
another method for determining the mgmt0 IP address of an EC-V.
7. In VMware ESXi, open a console for ECV-1 in a new tab. (Console > Open console in
new tab)
8. The IP address is
at the top of the
console window. If
the address is not
present, notify your
instructor.
If your cursor becomes stuck in the VMware ESXi console window, enter CTRL + ALT
on your keyboard to release the cursor. If you’re using a Mac computer, enter
CTRL + Option.
13. Click the ECV-1 (192.168.1.41) bookmark. If you choose to open a browser tab and
enter the ECV-1 DHCP IP address instead of using the bookmark, be sure to enter
https:// before the IP address.
14. Click through any Google Chrome security warnings that might appear.
b. Password: admin
16. Click Login to open the Initial Config Wizard. If the Initial Config Wizard doesn’t
automatically appear after you log in, click Configuration > [System & Networking] >
Intial Config Wizard on the appliance’s menu to open it.
17. Enter ECV-1 in the
Appliance
Hostname field.
22. Wait for the Save Changes and Reboot Required buttons to appear. If necessary,
refresh the Google Chrome window to cause the buttons to appear.
ECV-2 Information
1 SW 01 - Management mgmt0
2 SW 06 lan0
3 SW 08 wan0
ECV-4 Information
1 SW 01 - Management mgmt0
2 SW 13 lan0
3 SW 15 wan0
4 SW 16 wan1
Review
Answer the following questions:
After initial configuration, you approve each EdgeConnect from Orchestrator. Once you
approve an EdgeConnect, you complete the Appliance Wizard to define settings for it.
Following this process, Orchestrator manages the EdgeConnect appliance. It’s a best
practice to define a static IP address to manage each EdgeConnect, which you do
during this lab.
Objectives
Instructions
Task 1: Verify that ECV-1, ECV-2, and ECV-4 have finished rebooting
1. From VMware ESXi, click Virtual Machines in the Navigator pane.
Verifying that the EdgeConnect appliances have finished rebooting helps to ensure that
Orchestrator shows them as Reachable during a later task.
d. City: Singapore
g. Country: Singapore
16. Click Next on page 3. You don’t use loopback addresses during the DST labs.
RealTime: Selected
BulkApps: Selected
DefaultOverlay: Selected
20. Click Apply on page 5. Orchestrator shows a list of operations on the Appliance
Wizard window.. All of them should have a status of Success, and the overall status
should be Done. If one of the operations should fail, click Go Back, and then click
Apply again.
21. When all of the operations show Success, click Close on the Appliance Wizard
window.
Repeat the instructions from Task 3: Complete the Appliance Wizard for ECV-1, but
for ECV-2 during this task.
d. City: Mumbai
g. Country: India
29. Click Next on page 3. You don’t use loopback addresses during the DST labs.
RealTime: Selected
BulkApps: Selected
DefaultOverlay: Selected
33. Click Apply on page 5. Orchestrator shows a list of operations on the Appliance
Wizard window. All of them should have a status of Success, and the overall status
should be Done. If one of the operations should fail, click Go Back, and then click
Apply again.
34. When all of the operations show Success, click Close on the Appliance Wizard
window.
Repeat the instructions from Task 3: Complete the Appliance Wizard for ECV-1, but
for ECV-4 during this task
e. State: CA
g. Country: US
42. Click Next on page 3. You don’t use loopback addresses during the DST labs.
RealTime: Selected
BulkApps: Selected
DefaultOverlay: Selected
46. Click Apply on page 5. Orchestrator shows a list of operations on the Appliance
Wizard window. All of them should have a status of Success, and the overall status
should be Done. If one of the operations should fail, click Go Back, and then click
Apply again.
47. When all of the operations show Success, click Close on the Appliance Wizard
window.
49. From Orchestrator’s tree view, click the disclosure triangle for each group.
ECV-1, ECV-2, and ECV-4 should each be a member of a respective group.
52. Click the Close button . Orchestrator shows the hostname and IP address of
each EdgeConnect appliance’s mgmt0 interface in the tree view.
58. Click Save Changes in the upper-right area. You might have to wait for a few
seconds for this button to appear.
Task 11: Configure mgmt0 of ECV-2 and ECV-4 with a static IP address
60. Repeat the steps you used in Task 8: Configure ECV-1’s mgmt0 with a static IP
address, but for ECV-2 with the IP address 192.168.1.5.
61. Repeat the steps you used in Task 8: Configure ECV-1’s mgmt0 with a static IP
address, but for ECV-4 with the IP address 192.168.1.7.
If you see a warning alarm for the NTP server, you can ignore it. This is a cosmetic
issue that can happen in the ReadyTech environment.
in this version of Orchestrator software, you must refresh the Google Chrome web
browser window for Orchestrator to correctly display the topology map.
63. Click the Settings icon to show the topology map’s settings, and then
review them.
64. If not already in position, click and drag the Grouping Radius slider to the far-left
below Min.
65. If necessary, click the Zoom In and Zoom Out buttons to adjust the topology
map’s zoom level so you can see all of the EdgeConnect appliances on it.
66. Click the settings icon again to close the topology map’s settings.
67. Observe the color changes in the circles around each EdgeConnect and the lines
that represent tunnels between them. An EdgeConnect has a red circle if the
Orchestrator can’t communicate with it. This clears after the EdgeConnect finishes
booting and starts to communicate with Orchestrator. The tunnels change to orange
or red if they have connectivity issues. Green indicates a tunnel with an Up status.
This process takes about 10 minutes for each EdgeConnect in the lab to communicate
with Orchestrator and establish their tunnels. In a production network, this process
takes about 5 minutes. During this lab, if this process
takes more than 10 minutes, you can also synchronize
Orchestrator’s information for each EdgeConnect.
(Administration > [Tools] > Synchronize)
68. On the Topology tab, verify that the drop-down list is set to All Overlays.
icon on the
right side of the
top row with the
The tunnels only show traffic for keepalive packets because you have not opened any
other types of connections between the sites.
74. From Orchestrator’s tree view, select only ECV-1 and ECV-4.
78. On the Tunnels tab, click the Traceroute iconfor the row with the
to_ECV-4_MPLS1-MPLS1 underlay tunnel. The Traceroute window shows the
underlay’s hop-by-hop
latency.
If you don’t see any flows, they have timed out. Repeat the two previous steps again to
see the two flows.
Review
Answer the following questions:
1) If the Discovered Appliances tab shows the wrong information for an EdgeConnect, what
button should you click?
Refresh Discovery Information
3) On the Topology tab, what do blue, red, orange, and green lines indicate about tunnels?
Blue = pending, red = down, orange = partially down, and green = up.
4) What can Live View show about an overlay and its underlays?
Charts: Bandwidth, Loss, Jitter, Latency, and MOS. Traceroute chart. Tunnels: Up, No Meeting Service Levels, or Down.
Objective
Distinguish between passthrough traffic, backhauling internet traffic via an overlay, and
local internet breakout
Instructions
An overlay uses the SD-WAN Traffic to Internal Subnets settings to reach internal
destinations that match the subnets in the Internet Traffic Definition feature. SD-WAN
traffic includes breakout traffic backhauled to an EdgeConnect hub.
4. Drag & drop these interfaces from the Primary field and Backto the Available
Interfaces field:
a. INET2
b. MPLS2
5. Click the Add Backup if Above Are drop-down list, and then click Not Meeting
Service Levels.
a. Loss: 2%
b. Latency: 100 ms
9. Drag & drop the INET2 interface from the Primary field to the Available Interfaces
field.
a. Loss: 2%
b. Latency: 100 ms
11. Click the box for Exclude Links That Are Below Performance Thresholds.
ECV-1 and ECV-4 can now perform local internet breakout from their INET1 interfaces.
If the performance of their INET1 interfaces doesn’t meet the performance threshold
values for loss or latency, they switch from INET1 to LTE for local internet breakout. If
no interfaces meet the performance thresholds, the appliances refer to the Preferred
Policy Order.
ECV-2 doesn’t have INET1 or LTE interfaces and can’t perform local internet breakout.
So, it tries to use the Backhaul Via Overlay option in the Preferred Policy Order.
14. Click the Overlay ACL’s edit icon next to the match
criteria field.
If you just type CIFS in the field without clicking Cifs_smb in the drop-down list, it won’t
have any effect as match criteria.
23. Click the Boost drop-down list, and then click Enabled.
During this task, you modify the BulkApps BIO, and change its topology to Hub &
Spoke.
26. From the SD-WAN Traffic to Internal Subnets tab, click the Boost drop-down list,
and then click Enabled.
31. Click the Boost drop-down list, and then click Enabled.
33. Click Save and Apply Changes to Overlays on the Business Intent Overlays tab.
36. When the orchestration is done for every EdgeConnect, click Close.
ECV-1 has MPLS, INET, and LTE WAN interfaces. If you add ECV-1 as a hub, it acts
as a hub for every overlay that Orchestrator applies to it. Therefore, ECV-2 can
backhaul internet traffic to ECV-1.
41. Click the Google Chrome refresh button on the Landing Desktop PC to see
the updated hubs table that shows ECV-1 if it doesn’t appear automatically.
a. What is different about the BulkApps overlay’s topology than the other overlays?
BulkApps has a Hub & Spoke topology.
During this task, you test local internet breakout via ECV-4.
46. From the Landing Desktop PC, open a remote desktop window for TG-3511. (Start
> Remote Desktop Connection > TG-3511 > Connect)
47. From Orchestrator’s tree view, click 3 Appliances to select all of the EdgeConnect
appliances.
53. From the Flows tab, click the Flow Detail icon .
During this task, you test backhauling CIFS breakout traffic via ECV-2.
57. Click the Flow Detail icon to view additional information about either flow via
ECV-2, and then answer these questions:
ECV-2 is unable perform local internet breakout because it doesn’t have any INET or
LTE WAN interfaces. ECV-2 is also unable to backhaul the internet traffic because it
doesn’t have a route to the destination via an overlay. Drop is the last option in the
Preferred Policy Order of the Breakout Traffic to Internet & Cloud Services of the
DefaultOverlay BIO. Therefore, ECV-2 dropped the traffic.
During this task, you add two static routes. ECV-1 will advertise these static routes via
subnet sharing to the other EdgeConnect appliances. Those appliances will use the
routes to backhaul traffic to ECV-1. ECV-1 will then use the default route to reach
UBU-1. The other route ensures that passthrough traffic can reach TG-11411.
61. In the routes table, click the edit icon next to ECV-1.
a. Subnet/Mask: 10.110.114.0/24
c. Metric: 60
a. Subnet/Mask: 0.0.0.0/0
c. Metric: 60
ECV-1 now has the two static routes in its routes table.
70. Review the routes table for ECV-2, and then answer this question:
a. Does ECV-2 have routes via an overlay to the hub, ECV-1, that can reach
TG-11411 and UBU-1?
Yes, it has two routes: 0.0.0.0/0 via ECV-1(HUB) and 10.110.114.0/24 via ECV-1(HUB).
Task 10: Open a CIFS connection between TG-2011 and UBU-1 again
72. From Orchestrator’s tree view, click 3 Appliances to select all of the EdgeConnect
appliances.
75. From TG-2011, open the UBU-1 Files desktop shortcut. The
\\UBU-1\Shared_Files window opens.
76. From Orchestrator’s Flows tab, click the refresh button. Three flows
via ECV-1 and ECV-2 appear with a source IP address of 10.110.20.11 (TG-2011)
and a destination IP address of 11.1.1.11 (UBU-1).
77. Click the Flow Detail icon to view additional information about the flow via
ECV-2 with to_ECV-1 in the name of its tunnels, and then answer these questions:
79. Click the Flow Detail icon to view additional information about the flow via
ECV-1 with to_ECV-2 in the name of its tunnels, and then answer these questions:
81. Click the Flow Detail icon to view additional information about the flow via
ECV-1 with Passthrough in the name of its tunnels, and then answer these
questions:
TG-2011 initiates a connection to UBU-1 which ECV-2 receives. ECV-2 can’t perform
local internet breakout because it doesn’t have INET1 or LTE WAN interfaces. ECV-2
backhauls traffic via the to_ECV-1_CriticalApps overlay to the hub, ECV-1. ECV-1 uses
its default route via 10.110.104.1 to forward passthrough traffic to UBU-1. ECV-1
receives passthrough traffic from UBU-1. ECV-1 forwards the traffic via the
to_ECV-2_CriticalApps overlay to ECV-2. ECV-2 then forwards the traffic from its lan0
interface to TG-2011.
Review
Answer the following questions:
1) How does the topology change to Hub & Spoke for the BulkApps BIO affect its tunnels?
The overlay only establishes IPsec UDP underlay tunnels from ECV-2 and ECV-4 to the hub, ECV-1.
4) Why did this work after you added the default route via 10.110.104.1 to ECV-1?
ECV-1 advertised this route via subnet sharing to ECV-2 which could backhaul via an overlay to ECV-1 which could reach UBU-1.
With physical appliances, ECOS is already installed on the appliance. However, since
the virtual appliances don’t have hardware, you install each EC-V in your hypervisor
from an OVA file. In this lab, you install ECV-5.
Objectives
Instructions
Task 1: Install ECV-5 from an OVA file
1. From VMware ESXi, click Virtual Machines in the Navigator pane.
4. Click Next.
Caution: During the next step, ensure that you remove the check mark from the
Power on automatically box. If you power on the VM, the initial configuration
wizard won’t find the additional virtual network adapters you add during a later
task.
In a production
SD-WAN, always
choose Thick disk
provisioning to avoid
performance issues.
You chose Thin in
this lab due to limited
resources in the
ReadyTech
environment.
13. Click Recent Tasks to expand it if you want to watch the progress of the installation.
When the Result column shows Completed successfully, ECV-5 is installed. The
installation should take about 5 minutes or less.
ECV-5 already has Network Network adapter 1 for its mgmt0 interface. You add three
more new network adapters: 2, 3, and 4. Network adapter 2 is for the lan0 interface.
Network adapter 3 is for the wan0 interface. Network adapter 4 is for the wan1
interface.
16. Configure these settings for the first new network adapter:
20. Configure these settings for the second new network adapter:
24. Configure these settings for the third new network adapter:
30. Review each network adapter’s settings, and then record the last two digits of each
MAC address in the following table.
ECV-5 Information
1 SW 01 - Management mgmt0
2 SW 13 lan0
3 SW 15 wan0
4 SW 16 wan1
ECV-5 is already installed, but not completely configured. The next few steps show
another method for determining the mgmt0 IP address of an EC-V.
31. In VMware ESXi, open a console for ECV-5 in a new tab. (Console > Open console in
new tab)
32. The IP address is at the top of the console window. The last octet of the IP address
can vary. If the address is not present, notify your instructor.
If your cursor becomes stuck in the VMware ESXi console window, enter CTRL + ALT
on your keyboard to release the cursor. If you’re using a Mac computer, enter
CTRL + Option.
Review
Answer the following questions:
1) From what type of file do you install an EdgeConnect virtual appliance in VMware ESXi?
.OVA file
Objective
Instructions
Task 1: Create a preconfiguration file for ECV-5
1. From Orchestrator, open the
Preconfigure Appliances tab.
(Configuration > [Overlays &
Security] > [Discovery] >
Preconfiguration)
2. Click New on the Preconfigure
Appliances tab.
11. Click Save. The file appears in the Preconfigure Appliances list with a status of
Pending Discovery.
14. Enter the IP address of ECV-5’s mgmt0 interface into the Google Chrome
address bar. You recorded
15. Click through any Google Chrome security warnings that might appear.
Caution: The next step is essential to make the Appliance Tag of ECV-5 match
the Appliance Tag of the YAML preconfiguration file during Task 5: Apply the
Appliance Preconfiguration for ECV-5.
24. Wait for the Save Changes and Reboot Required buttons to appear. If necessary,
refresh the Google Chrome window to cause the
buttons to appear.
35. Before you apply the preconfiguration file, scroll through these lines of YAML code
and answer these questions:
It takes about 5 minutes for Orchestrator to apply the preconfiguration to ECV-5. This
process includes a reboot of ECV-5.
You need to wait for several minutes while Orchestrator synchronizes with ECV-5.
When ECV-5 has a solid icon and text in Orchestrator’s tree view, the synchronization
is done.
40. From Orchestrator’s tree view, right-click ECV-5, and then click Appliance
Manager. Orchestrator logs in the admin account to the web interface of the ECV-5
appliance.
After several minutes, Orchestrator’s tree view shows the updated management IP
address for each EdgeConnect. Once Orchestrator’s tree view shows the management
IP addresses the DST Lab Topology diagram shows, you can click Generate New Key
Now when an account key notification appears in Orchestrator. You need to click Close
on the Cloud Portal window that appears after you do this.
Review
Answer the following questions:
Objective
Instructions
Task 1: Configure the same site name for ECV-4 and ECV-5
4. Click Apply.
8. Click Apply.
14. From the VRRP tab, click the edit icon next to ECV-4.
a. Group ID: 1
b. Interface: lan0
d. Priority: 254
e. Preemption: Selected
18. From the VRRP tab, click the edit icon next to ECV-5.
a. Group ID: 1
b. Interface: lan0
d. Priority: 128
e. Preemption: Selected
Review
Answer the following questions:
Objectives
Identify flows
Instructions
Task 1: Open an FTP session between TG-2011 and TG-1011
1. From Orchestrator’s tree view, select ECV-1 and ECV-2.
5. From the Landing Desktop PC, open a remote desktop window for TG-1011. (Start
> Remote Desktop Connection > TG-1011 >
Connect)
6. Open the FileZilla app.
a. Host: 10.110.20.11
b. Username: anonymous
c. Password: Speak-123
202 - DST 9.0.4 9.0.3 Student Guide page 87 of 108
INSTRUCTOR VERSION
8. Click Quickconnect.
11. Open the Flow Detail window for the flow via ECV-1, review its output, and then
close the window.
12. Open the Flow Detail window for the flow via ECV-2, review its output, and then
close the window.
c. Which overlay tunnel does the outbound flow via ECV-1 use?
Outbound: to_ECV-2_BulkApps. Inbound: to_ECV-2_BulkApps.
d. Which overlay tunnel does the inbound flow via ECV-2 use?
Inbound: to_ECV-1_BulkApps. Outbound: to_ECV-1_BulkApps.
5. If you want to find underlay tunnels with a down status on the Tunnels tab, how
can you identify them?
Status drop-down menu. Click the Status column to show down underlays at the top.
10. Verify that the boxes are active and show their colors.
a. Real Time
c. Outbound
13. The graph for to_ECV-2_BulkApps(ECV-1) shows the data that flows from
TG-1011 to ECV-1 to ECV-2 on its way to TG-2011. It shows the majority of the data
for the FTP flows.
14. The graph for to_ECV-1_BulkApps(ECV-2) shows the data that flows from
TG-2011 to ECV-2 to ECV-1 on its way to TG-1011. It is FTP data for requesting the
file and related acknowledgements.
15. Click Show Underlays below the graphs. These graphs show the data for the
underlays that carry the FTP flows.
a. Real Time
c. Outbound
20. The graphs show the overall bandwidth usage for ECV-1 and ECV-2.
A strength of Aruba SD-WAN is its monitoring options. You can monitor the charts for
trend analysis over time. Some monitoring features have real-time view options, while
others display data after one hour or more.
21. Close the Tunnel Bandwidth Trends tab and the Bandwidth Trends tab.
Erasing network memory for an appliance is a tool you can use to measure baseline
performance against which you can meausre the performance of an EdgeConnect
appliance’s populated disk cache. Don’t use this outside of a scheduled maintenance
window because it negatively affects performance until EdgeConnect rebuilds its disk
cache.
25. From Orchestrator’s tree view, select only ECV-1 and ECV-2.
28. Click Close after the appliances have erased their network memory.
Review
Answer the following questions:
Objectives
Create a report
Schedule a report
View a report
Instructions
Task 1: Create a report
1. From Orchestrator’s tree view, click 4 Appliances.
d. Application Charts:
Application Bandwidth
e. Tunnel Charts:
All Overlays
Health Map
Flow Counts
Loss
Latency
f. Appliance
Charts
Top Talkers
Top Domains
Top
Countries
a. Daily
b. Every day
c. Time: 03:00
Current date
13. Click the left-side field and set the start time field to yesterday’s date at 08:00.
14. Click the right-side field and set the end time field to the current date and time.
2. Click the download icon to the right of the daily report. Google Chrome shows a
download notification in the bottom-left corner.
8. Page 5 shows Top Talkers, Domains, and Countries. Answer the following
question:
13. Click the most recent Silver Peak Orchestrator Report: Training email to open it.
Review
Answer the following questions:
Objectives
Instructions
Task 1: Ping from ECV-1 to TG-3511
1. In Orchestrator’s tree view, right click ECV-1, and then click Appliance Manager.
a. Click Ping.
4. Click Start.
6. Click Stop.
a. Click Traceroute.
If you don’t specify the -s option, the EdgeConnect uses its mgmt0 IP address as the
source IP address.
9. Click Start.
Task 3: Use the Link Integrity Test between ECV-1 and ECV-2
Caution: The Link Integrity Test is service impacting. Only use this tool during a
scheduled maintenance window.
12. From Orchestrator’s tree view, select only ECV-1 and ECV-2.
13. Open the Link Integrity Test. (Administration > [Tools] > Link Integrity Test)
a. Bandwidth →: 2000
b. Bandwidth : 2000
c. Duration: 10
d. DSCP: any
This uses the MPLS underlay tunnels between ECV-1 and ECV-2.
a. The test runs first in one direction, and then in the other direction.
d. Each row is one second and shows the amount of data transferred, the
bandwidth, the jitter, and the amount of packet loss.
Review
Answer the following questions:
1) Why do you need to specify a data path source address for a ping or traceroute?
If you don’t do this, the EdgeConnect uses the IP address of its mgmt0 interface as the source IP address.
1. From the Landing Desktop PC, open VMware ESXi in Google Chrome.
(https://esxihost)
7. Verify that Orchestrator reboots and returns to the Orchestrator login prompt.
5. Click and drag the on-screen keyboard over the console window. It might be
necessary for you to position the on-screen keyboard so that the letter you want to
enter is directly over the console window’s active area.
With some keyboards, you might need to enter the Fn (Function) key and the F1 key
together.
7. After the EdgeConnect is done rebooting, note the IP address at the top of the
console window.
You need to wait about 2 minutes before the EdgeConnect accepts HTTPS connection
attempts
8. Open a Google Chrome tab, enter the https:// followed by the IP address from step
7, and then press Enter.
9. Click through any Google Chrome security warnings that might appear.
b. Password: admin
11. Click Login to open the Initial Config Wizard. If the Initial Config Wizard doesn’t
automatically appear after you log in, click Configuration > [System & Networking] >
Intial Config Wizard on the appliance’s menu to open it.
EdgeConnect appliances
(ECV-1, 2, 4, and 5) admin Speak-123 Initial default password: admin
hMail Server Provided by hMail Server. Speak-123 Not for student use.
Kwanem Emulators
root Speak-123
(K1-MPLS, K2-Internet, K3-LTE) Not for student use.