202 DST STUDENT GUIDE 9.0.4 9.0.3 v3.1

INSTRUCTOR VERSION Template Version 2021.08 r1.
202 - Deploying SD-WAN

Technologies (DST)
Student Guide
Version 3.1
INSTRUCTOR VERSION
Deploying SD-WAN Technologies (DST) Student Guide

Based on Orchestrator 9.0.4 and ECOS 9.0.3
Date: May 2022

Copyright ©2022 Silver Peak (acquired by Aruba, a Hewlett Packard Enterprise company, in 2020). All
rights reserved. Information in this document is subject to change at any time. Use of this
documentation is restricted as specified in the End User License Agreement. No part of this
documentation can be reproduced, except as noted in the End User License Agreement, in whole or in
part, without the written consent of Silver Peak (acquired by Aruba, a Hewlett Packard Enterprise
company, in 2020).
Trademark Notification
The following are trademarks of Silver Peak (acquired by Aruba, a Hewlett Packard Enterprise
company, in 2020): Silver Peak SystemsTM, the Silver Peak logo, Network Memory™, Silver Peak NX-
Series™, Silver Peak VX-Series™, Silver Peak VRX-Series™, Silver Peak Unity EdgeConnect™, Silver
Peak Orchestrator™, Aruba EdgeConnect™, Aruba Orchestrator™, and Aruba Boost™. All trademark
rights reserved. All other brand or product names are trademarks or registered trademarks of their
respective companies or organizations.
Warranties and Disclaimers

THIS DOCUMENTATION IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. SILVER
PEAK (ACQUIRED BY ARUBA, A HEWLETT PACKARD ENTERPRISE COMPANY, IN 2020).
ASSUMES NO RESPONSIBILITY FOR ERRORS OR OMISSIONS IN THIS DOCUMENTATION OR
OTHER DOCUMENTS WHICH ARE REFERENCED BY OR LINKED TO THIS DOCUMENTATION.
REFERENCES TO CORPORATIONS, THEIR SERVICES AND PRODUCTS, ARE PROVIDED “AS IS”
WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED. IN NO EVENT SHALL
SILVER PEAK (ACQUIRED BY ARUBA, A HEWLETT PACKARD ENTERPRISE COMPANY, IN 2020).
BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY
KIND, OR ANY DAMAGES WHATSOEVER, INCLUDING, WITHOUT LIMITATION, THOSE
RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER OR NOT ADVISED OF THE
POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF LIABILITY, ARISING OUT OF OR IN
CONNECTION WITH THE USE OF THIS DOCUMENTATION. THIS DOCUMENTATION MAY
INCLUDE TECHNICAL OR OTHER INACCURACIES OR TYPOGRAPHICAL ERRORS. CHANGES
ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN; THESE CHANGES WILL BE
INCORPORATED IN NEW EDITIONS OF THE DOCUMENTATION. SILVER PEAK (ACQUIRED BY
ARUBA, A HEWLETT PACKARD ENTERPRISE COMPANY, IN 2020). MAY MAKE IMPROVEMENTS
AND/OR CHANGES IN THE PRODUCT(S) AND/OR THE PROGRAM(S) DESCRIBED IN THIS
DOCUMENTATION AT ANY TIME
Aruba, A Hewlett Packard Enterprise Company

6280 America Center Dr
Sunnyvale, CA 94089
http://training.silver-peak.com
202 - DST 9.0.4 9.0.3 Student Guide page 2 of 108

INSTRUCTOR VERSION
Table of Contents
Lab 1: Orchestrator Installation and Initial Configuration ................................... 4
Lab 2: Orchestrator Getting Started Wizard ........................................................ 15
Lab 3: Configure Groups and Labels .................................................................... 20
Lab 4: Configure Deployment Profiles ................................................................. 22
Lab 5: Configure a Template Group ...................................................................... 28
Lab 6: Introduction to Business Intent Overlays ............................................... 32
Lab 7: Complete the Configuration of ECV-1, ECV-2, and ECV-4 ..................... 39
Lab 8: Approve ECV-1, ECV-2, and ECV-4 from the Orchestrator .................... 45
Lab 9: Modify BIO Settings .................................................................................... 61
Lab 10: Install ECV-5 from an OVA File .................................................................. 71
Lab 11: Configure ECV-5 with Appliance Preconfiguration ................................. 76
Lab 12: Configure Traditional HA ............................................................................ 83
Lab 13: Monitor Flows .............................................................................................. 87
Lab 14: Configure a Report ...................................................................................... 94
Lab 15: Use Troubleshooting Tools ...................................................................... 101
Appendix A: Solutions to Common Issues ................................................................... 104
Appendix B: DST Lab Topology ..................................................................................... 106
Appendix C: Summary of Orchestrator and EC-V Appliances ................................... 107
Appendix D: User IDs and Passwords Lab Access Code .......................................... 108
INSTRUCTOR:
• Ask the students to use Zoom’s raise hand feature to indicate they are working on a lab.
• Ask the students to turn off Zoom’s raise hand feature to indicate they have completed the lab.

INSTRUCTOR VERSION
Lab 1: Orchestrator Installation and Initial

Configuration
Overview
The first step for setting up your Aruba SD-WAN is to install an Orchestrator. In order to
access the Orchestrator’s web interface, you need to first complete some initial configuration.
Objectives
 Access the remote ReadyTech environment
 Install Orchestrator from an OVA file
 Configure new Linux root and admin account passwords
 Configure Orchestrator with the orch-setup utility
Instructions
Task 1: Review the text formatting conventions
1. The instructions in this student guide use these formatting conventions:
 This bulleted text indicates clarifying information.
This text indicates important information.
This text indicates clarifying text for a setting you configure.
This text indicates an item that you click with your mouse buttons.
This text indicates text that you type with your keyboard.
This text indicates a path of menu items you click.
This text indicates information that cautions you about a potential issue.

INSTRUCTOR VERSION
Task 2: Written instructions and screenshots

2. The instructions in this student guide expect that students are familiar with these
fundamental tasks:
a. Opening and closing tabs in a web browser: You use Google Chrome on the
Landing Desktop PC during the DST labs. Enter CTRL+T to open a new tab.
b. Opening and closing windows in Microsoft Windows: Click the X button in

the upper-right corner of a window to close it.
c. Copying and pasting text and files: Enter CTRL+C to copy. Enter CTRL+V to
paste.
d. Navigating between windows and applications in Microsoft Windows: In the

ReadyTech environment, you can click an application’s taskbar icon to switch
from one to another. If you enter CTRL+TAB, you switch between windows or
applications on your local PC, not the Landing Desktop PC.
3. As you work with this student guide, be sure to follow all of the written instructions.
4. Screenshots provide additional context and are not a replacement for the written
instructions.
5. In the event that an image differs from written instructions, always follow the written
instructions.
6. As you follow a task’s steps, be aware that additional information might be on the
next page.
Task 3: Connect to the ReadyTech environment

7. Record your ReadyTech access code: ___________________________________
8. Open your preferred web browser on your local PC.
 Google Chrome version 96 was used while creating this student guide, but other web
browsers that support HTML5 should also work.
9. Enter https://SilverPeak.InstructorLed.Training in the web

browser’s address bar.
 If your web browser doesn’t support HTML5, you might see a message about
upgrading it and a link to the non-HTML5 ReadyTech portal. If you choose to use the
non-HTML5 ReadyTech portal, follow the its instructions.
 Caution: When you log in to the ReadyTech environment, be sure that you do not
set a password, otherwise you can potentially lock yourself out of your lab.

INSTRUCTOR VERSION
10. Enter your access code.
11. Click Log in.
12. Enter your first name and

last name.
13. Select the box to agree to

the terms and conditions.
14. Click OK.
15. Verify that the status of

your lab is Up. If the status is not Up, notify your
instructor.
16. Verify that the ReadyTech Viewer is the selected

option in the lower drop-down list. If another option is
present, change it to ReadyTech Viewer.
17. Click Connect to the lab in the Remote Desktop

section.
18. Sign in to the Landing Desktop PC with these credentials:
a. Click the Administrator user

profile.
b. Password: Speak-123
 This course uses licensed versions of

Microsoft Windows. The Landing
Desktop PC or Traffic Generator (TG)
PCs might state that they’re not
licensed due to communication issues
via the ReadyTech environment’s
firewall. If you see a Windows
Activation window, click the X button to
close it.

INSTRUCTOR VERSION
19. From the ReadyTech instructor-led portal Desktop menu, choose a view option:
Best fit, Scale to fit, or Full screen mode. Enter ESC to exit full-screen mode.
Task 4: Verify the deployment of all virtual machines

20. From the Landing Desktop PC, open
Google Chrome.
21. Click Advanced on the Your

connection is not private window, and
then click Proceed to esxihost
(unsafe). Google Chrome opens the
VMware ESXi window.
 If you see any warning pop-up messages

about the configured guest OS in VMware
ESXi, you can close or dismiss them.
 During the DST labs, each time you open

a webpage for VMware ESXi,
Orchestrator, or an EdgeConnect, you
need to click Advanced on the Your
connection is not private window, and
then click Proceed to [webpage name]
(unsafe).
22. Log in with these credentials:
a. User name: root
b. Password: Training1!
 If you can’t log in, click the Google

Chrome refresh button, and then try again.
23. If necessary, click Navigator on the left side to expand this section.
24. Click Virtual Machines. You should see 13 virtual machines (VMs).

INSTRUCTOR VERSION
25. Verify that each VM has a green icon to the left of

its name that indicates it is powered on. If any VMs
are not powered on, and you’re familiar with VMware
ESXi, power them on. Otherwise, notify your
instructor.
Task 5: Install the Orchestrator from an OVA

file
26. Click Create / Register VM above the list of virtual
machines.
27. Click Deploy a virtual machine

from OVF or OVA file, and then
click Next.
28. Enter Orchestrator as the

VM’s name.
29. Click the blue area with Click to

select files or drag/drop.
30. Click the Orchestrator-9.0.4.ova

file in the C:\Users\Administrator\SilverPeak\OVA Files directory, and then click
Open.
31. Click Next on the Select OVF and VMDK files window.

INSTRUCTOR VERSION
32. Click Next on the Select storage

window.
 Caution: You must set Orchestrator’s VM network to SW 01 - Management, or

you won’t be able to connect Orchestrator via its IP address after you configure
it later in this lab.
33. Choose these settings on the

Deployment options window:
a. Network mappings: VM
Network:
SW 01 - Management
b. Disk provisioning:
Thick
c. Power on automatically:
Selected
34. Click Next on the Deployment

options window.
35. Click Finish on the Ready to

complete window to start the
installation.

INSTRUCTOR VERSION
36. While Orchestrator installs, you should see these two tasks in the Recent Tasks
section of VMware ESXi. If the Recent Tasks section is visible at the bottom of the
window, and you don’t see these tasks, notify your instructor:
a. Upload disk - Orchestrator-9.0.4-disk.vmdk (1 of 1)
b. Import VApp
 The installation process

takes about 15 minutes. If the installation takes longer, notify your instructor.
Task 6: Review the lab topology diagram
 While you wait for the Orchestrator VM installation to finish, complete this task.
37. Open a new tab in Google Chrome.
38. Click the DST Lab Topology bookmark.
39. Review page 1 of the DST Lab Topology. The gold ovals (e.g. SW 02) are vSwitch
port groups in VMware ESXi that connect virtual machines (VMs) to one another.
You connect from the Landing Desktop PC to the other VMs via the
SW 01 - Management vSwitch port group.

INSTRUCTOR VERSION
40. Based on the DST Lab Topology, answer these questions:
a. What is the IP address of the Landing Desktop PC?

192.168.1.200
b. Which IP address will you assign to Orchestrator after you install it?
192.168.1.254
c. To which WAN transports does ECV-1 connect?

MPLS, Internet, and LTE.
d. To which WAN transports does ECV-2 connect?

MPLS
e. To which WAN transports does ECV-4 connect?

MPLS and Internet.
41. Review page 2 of the DST Lab Topology. This page provides information about the
Orchestrator and EC-V appliances. During the labs, if you have difficulty locating
information about a VM, you can refer to this page.
42. Review page 3 of the DST Lab Topology. This page provides user IDs and
passwords for the VMs you interact with during the DST labs.
Task 7: Configure new Linux root and admin account passwords
 After the installation of Orchestrator is finished, proceed with this task.
 If you need to enter commands in a VMware console window, and it displays incorrect
characters, you can find instructions on non-US keyboard setup and using the
on-screen keyboard in Appendix A: Solutions to Common Issues.
43. In VMware ESXi, click Virtual Machines in the Navigator pane.
44. Right-click the name of the Orchestrator VM, and then click Console > Open console
in new tab.

INSTRUCTOR VERSION
45. Log in to Orchestrator with these Linux admin account credentials:
a. User: admin
b. Password: admin
 Caution: In the following steps, ensure that you use the password Speak-123 for
the Linux admin and root accounts. Otherwise, you can accidentally lock
yourself out of Orchestrator. We cannot perform password recovery for
Orchestrator in the ReadyTech environment.
46. Orchestrator prompts you to enter a

new password for the Linux admin
account. Enter the password
Speak-123.
47. Carefully enter the password
confirmation Speak-123. The
password and confirmation must
match.
48. Orchestrator prompts you to enter a

new password for the Linux root
account. Enter the password
Speak-123.
49. Carefully enter the password
confirmation Speak-123. The
password and confirmation must
match.
50. After your enter the new passwords, Orchestrator displays the message
Successfully updated passwords.
Task 8: Perform initial configuration with the orch-setup utility

51. Enter ./gms/orch-setup -c at the Bash prompt to start the utility.
52. Enter the Linux root
account password
Speak-123.

INSTRUCTOR VERSION
53. Enter these options for the orch-setup utility:
a. Timezone: n lower case
b. NTP server: y lower case
c. NTP server (IP/name): 192.168.1.151
d. Change network configuration and hostname via GUI: n lower case
e. Change Orchestrator hostname: n lower case
f. Change IP address: y lower case
g. IP address: 192.168.1.254
h. Netmask: 255.255.255.0
i. Gateway: 192.168.1.253
j. Change DNS servers: y lower case
k. DNS Server 1: 8.8.8.8
l. DNS Server 2: Leave blank
54. The orch-setup utility shows the message Restarting network. This may take a
while.
55. Enter exit at the Bash prompt.

56. Close the Orchestrator console tab.
Task 9: Verify the Orchestrator’s IP address

57. In VMware ESXi, click Virtual Machines in the Navigator pane.
58. Right-click the gray bar between Virtual machine and Status.
59. Click Select columns.

INSTRUCTOR VERSION
60. Remove the selection from these boxes:
a. Used space
b. Guest OS
c. Host CPU
d. Host memory
61. Select this box:
a. IP address
62. Click the VMware ESXi refresh button .
63. In the list of virtual machines, verify the IP address for the Orchestrator is
192.168.1.254.
 If the status of a VM is Warning, click Refresh above the list of virtual machines. The
status should change to Normal. This is only a cosmetic issue.
Review
Answer the following questions:
1) What is the first step for setting up your Aruba SD-WAN?

You must install an Orchestrator.
2) From what type of file do you install an Orchestrator in VMware ESXi?

.OVA file
3) Why did you connect the Orchestrator to the SW 01 - Management vSwitch port group?
To ensure connectivity via the out-of-band management network.
4) Why did you configure Orchestrator to use Thick Provisioning?

To avoid performance issues.
5) What is the purpose of the orch-setup utility?

It’s an initial configuration CLI utility.
Instructor:
• Cancel unused lab codes before the first 3 hours of class have passed.

INSTRUCTOR VERSION
Lab 2: Orchestrator Getting Started Wizard

Overview
 You access the Orchestrator from a web browser. From the web interface, you
complete the Getting Started Wizard to register the Orchestrator with Cloud Portal and
to configure an email server and a backup server.
Objectives
 Register Orchestrator with Cloud Portal
 Configure Orchestrator to use an email server
 Configure Orchestrator to use a backup server
Instructions
Task 1: Generate an Account Name and Account Key for the
Orchestrator and EdgeConnect virtual appliances
1. On the Landing Desktop PC’s taskbar, click the Show Desktop icon .
2. Open the DST Lab Files desktop shortcut.
3. Open the Lab 2 - License Orchestrator shortcut. This script generates a

License.txt file. The file contains the account name and account key you use to
register the Orchestrator and EC-V appliances with the Cloud Portal.
 The Orchestrator and EC-V appliances of an Aruba SD-WAN all use the same account
name and account key.
4. Close the File Explorer window.
5. Leave the License.txt file open.
 If you close the License.txt file, you can open it again from the Landing Desktop PC’s
desktop.
6. Open a new tab in Google Chrome, and then click the Orchestrator bookmark.
Alternatively, you can enter https://192.168.1.254 into the address bar.
 When you connect to the Orchestrator or an EdgeConnect VM using its IP address,

enter https:// before it.

INSTRUCTOR VERSION
7. Click Advanced on the Your connection is not private window, and then click
Proceed to 192.168.1.254 (unsafe).
Task 2: Log in to Orchestrator

8. Log in to the Orchestrator with these credentials:
a. User Name: admin
b. Password: admin
9. Click Login.
10. Click Agree to accept the End User License

Agreement.
11. Enter a new password for the Orchestrator admin account:
a. Password: Speak-123
b. Confirmation: Speak-123
12. Click Save Password.
13. If Orchestrator notifications appear in the upper-right corner (e.g. Generate New
Key Now), click Close, Dismiss, or Don’t Show Again.
Task 3: Complete the Orchestrator’s Getting Started Wizard
 Caution: During the DST labs, if some screens or web interface elements extend
outside the viewable area of the Landing Desktop PC, modify the zoom level of
its Google Chrome web browser. Click CTRL + + to zoom in. Click CTRL + - to
zoom out. Click CTRL + 0 to restore the zoom level to 100%.
14. Select the EdgeConnect box under Select Products on the License and
Registration tab.
15. Copy the account name from the License.txt file, and then paste it into the
Account Name field.
16. Copy the account key from the License.txt file, and then paste it into the Account
Key field.
17. Minimize the License.txt file.
18. Click Next on the License and Registration window.

INSTRUCTOR VERSION
19. Enter these email server settings on the Email window:
a. Enable SSL: Not selected
b. Enable Authentication: Selected
c. SMTP Server: 192.168.1.200
d. SMTP User: student@training.local
e. Email Sender: student@training.local
f. SMTP Password: Speak-123
g. Server Port: 25
h. Require Email Verification: Not selected
i. Send a Test Email to: student@training.local
j. Email Alarms to: student@training.local
k. Click Test to the right of the Send a Test Email to field. You should see this
message at the bottom of the screen. If the test isn’t
successful, verify the settings.
20. Click Next on the Email window.
21. Enter these backup server settings on the Backup tab:
a. Protocol: FTP
b. Hostname: 192.168.1.200
c. Username: anonymous
d. Password: Speak-123
e. Directory: /GMS
f. Port: 21
g. Max backups to retain: 3
22. Click Test to below Max backups to retain. If the test not successful, verify the
settings. If the test is successful, Orchestrator shows a success message.
23. Click Add next to the Schedule field.

INSTRUCTOR VERSION
24. Enter these backup schedule settings:
a. Frequency: Weekly
b. Day: Saturday
c. Time: 08:00
d. Date: Current date
25. Click OK.
26. Click Apply to complete the Getting Started Wizard.
27. Click Close on the Wizard Configuration Summary window.
Task 4: Turn off new software release notifications
 You turn off this setting for the DST labs to prevent numerous software release
notifications from opening in Orchestrator. In a production SD-WAN, you don’t need to
turn off this Orchestrator setting.
28. From Orchestrator, click

Orchestrator > [Software & Setup] >
[Setup] > Advanced Properties.
29. From the Advanced Properties tab, enter software in the Search field.
30. Change the property value of newSoftwareReleasesNotifications to false.
31. Click Apply.
Task 5: Dismiss pop-up notifications

32. If any notifications appear in the upper-right corner of Orchestrator, click Don’t
show again or Dismiss.
 You might need to dismiss new software release notifications if they appeared before
you set that setting to false. After you do this, additional new software release
notifications won’t appear.

INSTRUCTOR VERSION
Task 6: Verify the registration status of Orchestrator

33. Check the Orchestrator’s Cloud Portal registration status. Click Orchestrator >
[Orchestrator Server] > [Licensing] > Cloud Portal. If the status for Registered is Yes,
the account name and the account key
matched a Cloud Portal database entry
for your temporary student account.
34. Click Close on the Cloud Portal window.
Review
1) What is the difference between the Linux admin and root accounts and the Orchestrator
admin account?
The first two are Linux accounts. The third is the admin account for the Orchestrator service that runs on Linux.
2) What is the purpose of the email server?

Orchestrator uses it to send emails for alarms and reports.
3) What is the purpose of the backup server?

Orchestrator backs up its configuration to the backup server. The Orchestrator backup also contains every EdgeConnect config.

INSTRUCTOR VERSION
Lab 3: Configure Groups and Labels

Overview
 You configure groups in the Orchestrator’s tree view to organize the EdgeConnect
appliances it will manage. The interface labels you create on Orchestrator make it easy
to identify an EdgeConnect appliance’s interfaces. You can use LAN interface labels as
overlay match criteria. You use WAN interface labels so that your SD-WAN knows
between which WAN interfaces on peer EdgeConnect appliances to establish underlay
tunnels.
Objectives
 Create groups in Orchestrator
 Create interface labels in Orchestrator
Instructions
Task 1: Rename Group 1 to Site 1 - Singapore
1. From Orchestrator’s tree view, right-click Group 1, and then click Rename.
2. Enter the group name Site 1 - Singapore.

3. Click OK.
Task 2: Create two additional groups

4. Right-click 0 Appliances in Orchestrator’s tree view, and then click Add Group.
5. Enter the group name Site 2 - Mumbai.

6. Click OK.
7. Repeat steps 4-6 to create the Site 3 - Santa Clara group.
 The student guide provides detailed instructions the first time it presents a topic. Then,
it refers you back to previous instructions. This approach helps those with different
learning styles by providing step-by-step instructions but also allowing others to recall
the instructions. If you make a mistake, refer back to the
instructions to correct your error.
 Orchestrator’s tree view should now look like this image.

INSTRUCTOR VERSION
Task 3: Modify a WAN interface label

8. Open Orchestrator’s Interface Labels tab. (Configuration > [Overlays & Security] >
Interface Labels) You can
quickly find any menu item
with Orchestrator’s Search
Menu function.
 Caution: Don’t delete any of the preconfigured interface labels, because you use
them during the DST labs.
 Orchestrator comes with preconfigured LAN and WAN interface labels. The LTE (Hub
& Spoke) label’s topology indicates that regardless of an overlay’s topology, the WAN
interface with this label only establishes an underlay to a hub EdgeConnect. In this lab,
you change this setting to make cross-connect underlays possible in a later lab.
9. Click the edit icon for the LTE (Hub & Spoke) WAN interface label.
10. Click the Topology drop-down list, and then click any.
11. Click Done on the Interface Label Configuration window.
Task 4: Create a LAN interface label

12. Click New Label.
13. Click lan.
14. Enter GuestWiFi as the LAN interface label’s name.

15. Click Done.
16. Verify the GuestWifi LAN interface label is in the list.
17. Click Save on the Interface Labels window.
Review
1) What is the purpose of a group in Orchestrator’s tree view?

You assign EdgeConnect appliances to groups to simplify SD-WAN administration.
2) How does Orchestrator use interface labels?

LAN: Interface identification and BIO match criteria. WAN: Interface identification and underlay tunnels.

INSTRUCTOR VERSION
Lab 4: Configure Deployment Profiles

Overview
 You configure deployment profiles on Orchestrator. Deployment profiles provide you

with accurate, scalable configuration of your EdgeConnect appliances. Your SD-WAN
has different types of appliances that might use the same interfaces and interface
settings. You can configure one deployment profile per type of EdgeConnect, and then
apply these deployment profiles as you deploy additional appliances.
Objectives
 Create deployment profiles in Orchestrator
 Configure deployment profiles in Orchestrator
Instructions
Task 1: Create the Hub Site deployment profile
 You modify the preconfigured MPLS + Internet + LTE Branch deployment profile, and
then save it with a different name to create the Branch Office deployment profile.
 You apply the Hub Site deployment profile to ECV-1 at Site 1 - Singapore in a later lab.
1. From Orchestrator, open the

Deployment Profiles tab. (Configuration >
[Overlays & Security] > Deployment Profiles )
2. From the Profile Name drop-down list, click

MPLS + Internet + LTE Branch.
3. Verify that Router is the deployment mode.

INSTRUCTOR VERSION
4. Under LAN Interfaces, below interface lan0, click +IP to add a sub-interface.
5. Repeat the previous step to add a second

sub-interface below lan0.
6. Configure these LAN inteface labels:
a. lan0: Data Top label
b. lan0 sub-interface: Voice Middle label
c. lan0 sub-interface: GuestWiFi Bottom label
7. Configure LAN sub-interface VLAN tags:
a. lan0 / Voice sub-interface: 131
b. lan0 / GuestWiFi sub-interface: 132
8. Verify these WAN interface labels:
a. wan0: MPLS1
b. wan1: INET1
c. wan2: LTE
9. Verify the FW mode (firewall mode) of the WAN interfaces:
a. wan0: Allow All
b. wan1: Stateful+SNAT
c. wan2: Stateful+SNAT
10. Verify the NAT Flag setting for each WAN interface:
a. wan0: Not behind NAT
b. wan1: Not behind NAT
c. wan2: Not behind NAT
 In a production SD-WAN, you would configure the NAT Flag setting for the internet and
4G LTE interfaces when upstream devices perform NAT. In this training lab, this isn’t
necessary.

INSTRUCTOR VERSION
11. Configure the Bandwidth setting for the WAN interfaces:
a. wan0: 6,000 outbound, 6,000 inbound
b. wan1: 6,000 outbound, 6,000 inbound
c. wan2: 6,000 outbound, 6,000 inbound
12. Click ∑ Calc to set the Total Outbound and Total Inbound WAN bandwidth
settings to 18,000 each.
13. From the EC license drop-down list, click 50 Mbps.
14. Configure Boost to 18,000 Kbps.
15. Click Save As.
16. Enter Hub Site as the name of the deployment

profile.
17. Click Save.
Task 2: Create the Data Center deployment profile
 You modify the Hub Site deployment profile, and then save it with a different name to
create the Data Center deployment profile.
 You apply the Data Center deployment profile to ECV-4 and ECV-5 at Site 3 – Santa
Clara in a later lab.
18. Click the X to the left of the inactive IP/Mask

field to delete the wan2 interface.

INSTRUCTOR VERSION
19. Now you change the bandwidth settings of

the remaining WAN interfaces and Boost:
b. wan1: 4,000 outbound, 4,000 inbound
20. Click ∑ Calc to set the Total Outbound and

Total Inbound WAN bandwidth settings to
8,000 each.
22. Click Save As.
23. Enter Data Center as the name of the

deployment profile.
24. Click Save.
Task 3: Create the MPLS Branch Office deployment profile
 You modify the DataCenter deployment profile, and then save it with a different name
to create the MPLS Branch Office deployment profile.
 You apply the MPLS Branch Office deployment profile to ECV-2 at Site 2 – Mumbai in
a later lab.
25. Click the X to the right of the inactive

IP/Mask field to delete the lan0.132
sub-interface that has the GuestWifi
LAN interface label. This is the lan0
interface with the 132 VLAN tag.

INSTRUCTOR VERSION
26. Click the X to the left of the inactive IP/Mask field to

delete the wan1 interface with the INET1 interface
label, because ECV-2 doesn’t have one.
27. Now you change the bandwidth settings of the

remaining WAN interface and Boost:
28. Click ∑ Calc to set the Total Outbound and

Total Inbound WAN bandwidth settings to 2,000
each.
30. Click Save As.
31. Enter MPLS Branch Office as the name of the

deployment profile.
32. Click Save.
Task 4: Verify the three deployment profiles

33. Click the Profile Name drop-down list.

INSTRUCTOR VERSION
34. Verify these three new deployment profiles are in

the list:
a. Hub Site
b. MPLS Branch Office
c. Data Center
35. Close the Deployment Profiles tab.
Review
1) What is the purpose of a deployment profile?

Deploy appliances with the same interface, bandwidth, and Boost settings.
2) Why are the IP address and next-hop fields of a deployment profile inactive?
To avoid duplicate IP address issues. Configure them with appliance preconfiguration or the deployment window.
3) How does a deployment profile differ from a deployment window?

See #1 for deployment profile. The deployment window has the same settings but you can configure IP addresses and next-hops.

INSTRUCTOR VERSION
Lab 5: Configure a Template Group

Overview
 You configure template groups on Orchestrator. Template Groups are a mechanism

you use to configure many settings for EdgeConnect appliances once, and then apply
those settings to many appliances. Each template group contains active templates that
you select from a list of available templates.
Objectives
 Create a template group
 Configure active templates in a template group
Instructions
Task 1: Configure the Default Template Group
 During this lab, you choose templates to include in the Default Template Group. In a
later lab, you apply the Default Template Group to the EdgeConnect appliances. This
allows you to these settings once, and then apply them to each of the appliances. This
reduces the risk of incorrectly configuring settings and saves time.
1. In Orchestrator, open the Templates tab.

(Configuration > [Templates & Policies] >
Templates)
2. Click Show All to display the Available Templates

column.

INSTRUCTOR VERSION
3. Click and drag these templates from the Active Templates column to the Available
Templates column to remove them from the Default Template Group:
a. SNMP
b. Admin Distance
c. Shaper
4. Click and drag these templates

from the Available Templates
column to the Active Templates
column:
a. User Management
5. Verify these templates are in the

Active Templates column:
a. DNS
b. Date/Time
c. User Management
d. Management Services
e. Session Management
6. Click Hide to remove the Available Templates column from view.
Task 2: Configure the active templates
 The DNS and Management Services templates already have the necessary settings.
7. Click the Date/Time template.
a. Click the X to the right of the pre-configured NTP server to delete it.
b. If not already selected, click NTP Time Synchronization.
c. Click Add.

INSTRUCTOR VERSION
d. Configure the new time server with these settings:
 Time Zone: US/Pacific
 Server: 192.168.1.151
 Version: 3
 The K1-MPLS WAN emulator VM acts as the NTP server in the ReadyTech
environment.
8. Click the User Management template.
a. Click the Password field of the admin EdgeConnect user account.
b. Enter the password Speak-123.

c. Click the Confirm Password field of the admin EdgeConnect user account.
d. Enter the password Speak-123.
9. Click the Session Management template.
a. Configure Auto Logout to 60 minutes.

INSTRUCTOR VERSION
10. Click Save below the Active Templates field to save

these changes to the Default Template Group.
11. Click Save Template Changes on the Save Template

Changes window.
12. Close the Templates tab.
Review
1) What is a template?
You configure settings in a template that Orchestrator applies to multiple appliances.
2) What is the difference between available templates and active templates?

Available templates is a list of all unused templates. Active templates are template group members.
3) What is the difference between a template and a template group?

See #1 for template. A tempalte group is a collection of configured templates that Orchestrator applies to appliances.
4) Can you apply more than one template group to an EdgeConnect?

Yes, you can see the applied template groups on the Apply Template Groups tab.

INSTRUCTOR VERSION
Lab 6: Introduction to Business Intent

Overlays
Overview
 You configure Business Intent Overlays (BIOs) on Orchestrator to define how the
EdgeConnect appliances link-bond IPsec UDP underlay tunnels and apply other
settings for them to work together as logical overlay tunnels. You can only create and
configure BIOs on Orchestrator, not directly on EdgeConnect appliances.
Objectives
 Gain familiarity with the BIO settings
 Configure BIO settings
Instructions
Task 1: Review the Business Intent Overlays summary window
1. From Orchestrator, open the Business
Intent Overlays tab. (Configuration >
[Overlays & Security] > Business Intent
Overlays)
 Links to other BIO-related features are at the top of the window.
 Caution: Do not delete any BIOs during this course. Orchestrator doesn’t include
an undo option that can replace any BIOs that you delete.
2. Review the four preconfigured BIOs:
a. Rows indicate individual BIOs:
 RealTime
 CriticalApps
 BulkApps
 DefaultOverlay
b. Columns show a high-level view of each BIO’s settings:
 Priority (includes drag & drop handle and delete button)

INSTRUCTOR VERSION
 Overlay name
 Match Traffic (i.e. Overlay traffic matching method)
 SD-WAN Traffic to Internal Subnets
 Breakout Traffic to Internet & Cloud Services
Task 2: Review SD‐WAN Traffic to Internal Subnets settings
 Aside from their Overlay ACL match criteria, the preconfigured BIOs all have the same
settings until you modify them.
3. Click in the Overlay or SD-WAN Traffic to Internal Subnets columns for the
RealTime BIO. Orchestrator shows the BIO’s name, match setting, and region at the
top of the window. It also shows a tabbed interface with settings traffic that matches
an internal destination network.
4. Click the Match drop-down list. What are the three options for matching traffic to an
overlay?
Overlay ACL (recommended best practice), LAN Port, and Appliance ACL (general-use access list).
5. Click the edit icon next to the match criteria field. Orchestrator shows the
Associate ACL window.

INSTRUCTOR VERSION
6. Review the rules that determine which traffic matches the RealTime overlay.
a. What type of traffic matches the RealTime overlay?

QoS DSCP ef, voice, video, and conferencing apps.
7. Click Close on the Associate ACL window.
8. Click Cancel on the Overlay Configuration window.
9. Repeat steps 3-7 for the Critical Apps BIO, and then the BulkApps BIO.
a. What type of traffic matches the CriticalApps BIO?

DNS, SilverPeak traffic, SaaS apps.
b. What type of traffic matches the BulkApps BIO?

File transfer SaaS, FTP, SFTP, Replication, and Rsync file synchronization.
10. Repeat steps 3-6 for the DefaultOverlay BIO.
a. What type of traffic matches the DefaultOverlay BIO?

All traffic not matching higher priority overlay matches DefaultOverlay. Prevents matching Default Route Policy.
 The preconfigured RealTime, CriticalApps, and BulkApps BIOs match specific types of
traffic and apply specific settings to them. The DefaultOverlay BIO matches all other
types of traffic. This ensures an EdgeConnect provides SD-WAN optimization to all
internal traffic (i.e. non-internet traffic).
11. From the DefaultOverlay, click the
edit icon next to SD-WAN

Traffic to Internal Subnets.
Orchestrator shows the Internal
Subnets window.
 This window defines how EdgeConnect

handles traffic. EdgeConnect sends
traffic with a destination IP address
found in this table through an overlay
tunnel. Otherwise, EdgeConnect uses
the Breakout Traffic to Internet & Cloud
Services settings to send the traffic to its
destination.
12. Click Close on the Internal Subnets window.
13. Review all of the settings on the SD-WAN Traffic to Internal Subnets tab.

INSTRUCTOR VERSION
14. Orchestrator uses all of the

preconfigured WAN interface labels
for each BIO’s primary and backup
interfaces. If you don’t change the
interfaces each BIO uses, after you
add EdgeConnect appliances, will
the underlays and overlays work?
Yes, the underlays and overlays will work. Each EdgeConnect will use the interfaces it has to create the underlays.
 When you configure a BIO, each EdgeConnect appliance might not

have all of the interfaces you specify. However, each EdgeConnect
uses the interfaces it has to establish IPsec UDP underlays that
make up the logical overlays.
15. The INET1, INET2, and LTE interfaces are members of the
Group1 cross-connect group. Why does Orchestrator make
these interfaces members of the cross-connect group but not the
MPLS interfaces?
Cross-connect groups establish additional underlays between peers’ WAN interfaces. EC must route between providers.
 When you define a cross-connect group, each EdgeConnect establishes additional

IPsec UDP underlay tunnels between each of the peers’ different WAN interfaces.
Normally, INET1 interfaces only build underlays to other peers’ INET1 interfaces.
EdgeConnect peers also build cross-connect underlays between INET1 to INET2 and
INET2 to INET1. These underlays provide additional paths between appliances. INET
and LTE interfaces can route between different providers’ networks over the Internet,
whereas MPLS interfaces can’t do this.
16. By default, when does an overlay switch from its primary interfaces to its
secondary or backup interfaces?
It switches when the primary interfaces are all down.

INSTRUCTOR VERSION
 As long as at least one primary

interface and its underlay tunnel are
up, the overlay continues to use them.
Once all of the primary interfaces are
down, then the overlay uses the
backup interfaces. If you add
secondary interfaces, primary
interfaces fail over to them first. Then,
the process repeats with secondary
interfaces failing over to backup
interfaces.
17. If you were to change Add Backup

if Above Are from Down to Not
Meeting Service Levels, when
would an overlay switch from its
primary interfaces to its secondary
or backup interfaces?
It switches when all of the primary (or secondary) interfaces are not meeting one or more Service Level Objectives.
 When an interface does not meet a service level objective, EdgeConnect marks it for
removal from service but continues to use it. When all of the interfaces don’t meet a
serivce level objective, then it switches over to the next tier of interfaces. Failover
happens in this order Primary > Secondary (if used) > Backup. If you restore service to
one or more higher-tier interfaces, the overlay switches back to them again.
18. At this point, use the default SD-WAN Traffic to Internal Subnets settings for all
four preconfigured BIOs.
Task 3: Review Breakout Traffic to Internet & Cloud Services settings

19. Click the Breakout Traffic
to Internet & Cloud
services tab.
20. Review all of the settings

on the Breakout Traffic to
Internet & Cloud Services tab.
 EdgeConnect follows the Preferred Policy Order for traffic with a destination IP address
that isn’t in the table on the Internal Subnets window. By default, the Preferred Policy
Order lists Break Out Locally, Backhaul Via Overlay, and Drop. EdgeConnect uses the
interfaces shown on this tab because Break Out Locally is in the Preferred Policy

INSTRUCTOR VERSION
Order. Backhaul Via Overlay sends the traffic to another EdgeConnect that performs
local internet breakout.
21. By default, the Preferred Policy Order has Break Out Locally at the top, Backhaul
Via Overlay next, and Drop at the bottom. Answer the following questions:
a. When EdgeConnect receives traffic destined to the Internet, how does it forward
the traffic?
It breaks out the traffic locally using INET1 or INET2.
b. If an EdgeConnect is unable to locally break out the traffic, how does it forward
the traffic?
It refers to its routes table to determine which overlay to use to forward it to another peer to reach the destination IP.
c. If an EdgeConnect is unable to locally break out the traffic or backhaul the traffic
via an overlay, how does it handle the traffic?
It drops the traffic.
Task 4: Configure the global IP SLA for internet breakout
 During this task, you configure a global IP SLA that applies to all of the overlays.
EdgeConnect appliances use this IP SLA to verify that the Internet is reachable in order
to perform local internet breakout. If the targets you specify in the IP SLA are not
reachable, EdgeConnect refers to the next option in the Preferred Policy Order. If no
other options are present, then it uses the Drop option.
22. Click the edit icon next to Break Out Locally Using These Interfaces.
 By default, Orchestrator has sp-ipsla.silverpeak.cloud and the Google public DNS IP

addresses (8.8.8.8 and 8.8.4.4) as ping reachability targets. They don’t work in the
ReadyTech environment, so you configure different targets. You can use the
preconfigured addresses or your own selections with your organization’s SD-WAN.
23. Delete sp-ipsla.silverpeak.com, 8.8.8.8, and 8.8.4.4 from the Address field.
24. Enter these IP addresses in the Address field with a comma but no spaces between
each one: 10.110.104.1,10.110.105.1,10.110.116.1.
25. Review the DST Lab Topology, and then answer these questions:
a. Can ECV-1, ECV-2, and ECV-4 ping the 10.110.104.1 or 10.110.116.1 internet
gateway addresses?
ECV-1 can ping 10.110.104.1. ECV-2 can’t ping any of them. ECV-4 can ping 10.110.116.1.

INSTRUCTOR VERSION
b. Can ECV-1, ECV-2, and ECV-4 ping the 10.110.105.1 LTE gateway address?
Only ECV-1 can ping the 10.110.105.1 LTE gateway address.
 Click Save on the IP SLA Rule

Destination window. Orchestrator
displays a success message.
26. Click OK on the Overlay

Configuration window.
27. Close the Business Intent Overlays tab.
 At this point, Orchestrator has the four preconfigured BIOs. All of the BIOs now use the
global IP SLA that monitors 10.110.104.1, 10.110.105.1, and 10.110.116.1. However,
you have not yet added EdgeConnect appliances to your SD-WAN, so the BIOs are not
yet in effect.
Review
1) What is a Business Intent Overlay?

The settings Orchestrator pushes to appliances for link bonding underlays to act as overlays.
2) What are the four preconfigured BIOs?

RealTime, CriticalApps, BulkApps, and DefaultOverlay
3) What types of traffic match each of the preconfigured BIOs?

Mesh, Regional Mesh, Hub & Spoke, Regional Hub & Spoke.
4) What are the default monitoring addresses for local internet breakout?
sp-ipsla.silverpeak.cloud, Google Public DNS (8.8.8.8, 8.8.4.4).
5) What are link-bonding policies?

Settings for underlay link selection, failover, and FEC / Path Conditioning.

INSTRUCTOR VERSION
Lab 7: Complete the Configuration of

ECV-1, ECV-2, and ECV-4
Overview
When you install EC-V appliances, you must determine what the MAC addresses are for the
VMs’ network adapters in the hypervisor. Once you have determined the MAC addresses, you
need to determine at which IP address you can manage each EdgeConnect. Then you assign
one MAC address to each of your EC-V’s interfaces with the Initial Config Wizard. This
process creates a connection between the host system’s network adapters in the hypervisor
with each EC-V’s interfaces. You use the ECV-1, ECV-2, and ECV-4 EdgeConnect appliances
during the DST labs. You don’t use ECV-3 during the DST labs.
Objectives
 Gain familiarity with port groups in VMware ESXi
 Determine the MAC addresses of each VM’s network adapters in VMware ESXi
 Determine the IP address of each EC-V appliance in VMware ESXi
 Use the EdgeConnect Initial Config Wizard
Instructions
Task 1: Become familiar with VMWare ESXi vSwitch port groups
1. Unless it is already open, add a new tab in Google Chrome on the Landing
Desktop PC, and then open the DST Lab Topology bookmark.
2. Review the DST Lab Topology diagram. The gold-colored ovals represent the
vSwitch port groups to which each VM connects that allow them to communicate
with one another. Think of the vSwitch port groups like a physical switch that has
devices connected to it with cables. VMware ESXi uses virtual network switches, or
vSwitches, to interconnect its VMs. Each vSwitch has a port group. The port group
defines how the interfaces of each VM connect to a vSwitch.

INSTRUCTOR VERSION
Task 2: Record the MAC addresses of ECV-1’s network adapters

3. From VMware ESXi, click Virtual Machines in the
Navigator pane.
4. Click the name of ECV-1 in the list of virtual machines.
5. In the Hardware
Configuration section,
click the disclosure
triangle next to each of the
five network adapters to
show their settings.
6. Review each network

adapter’s settings, and then
record the last two digits of each MAC address in the following table.
ECV-1 Information
Network MAC Address

Adapter (Record the last 2 digits) Port Group ECV-1 Interface
1 SW 01 - Management mgmt0
2 SW 02 lan0
3 SW 03 wan0
4 SW 04 wan1
5 SW 05 wan2

INSTRUCTOR VERSION
Task 3: Record the DHCP-assigned IP address of mgmt0 for ECV-1
 ECV-1 is already installed, but not completely configured. The next few steps show
another method for determining the mgmt0 IP address of an EC-V.
7. In VMware ESXi, open a console for ECV-1 in a new tab. (Console > Open console in
new tab)
8. The IP address is
at the top of the
console window. If
the address is not
present, notify your
instructor.
9. Record the DHCP IP address of ECV-1’s mgmt0 interface: __________________
 If your cursor becomes stuck in the VMware ESXi console window, enter CTRL + ALT
on your keyboard to release the cursor. If you’re using a Mac computer, enter
CTRL + Option.
10. Close the ECV-1 console tab.
Task 4: Complete the initial configuration wizard for ECV-1

11. Open a new tab in Google Chrome on the Landing Desktop PC.
12. Click the EdgeConnect (DHCP) bookmarks folder.
13. Click the ECV-1 (192.168.1.41) bookmark. If you choose to open a browser tab and
enter the ECV-1 DHCP IP address instead of using the bookmark, be sure to enter
https:// before the IP address.
14. Click through any Google Chrome security warnings that might appear.
15. Log in to ECV-1 with these credentials:
a. User Name: admin
b. Password: admin

INSTRUCTOR VERSION
16. Click Login to open the Initial Config Wizard. If the Initial Config Wizard doesn’t
automatically appear after you log in, click Configuration > [System & Networking] >
Intial Config Wizard on the appliance’s menu to open it.
17. Enter ECV-1 in the
Appliance
Hostname field.
18. Assign the correct

MAC address to
each interface based
on the ECV-1
Information table
you completed
during a previous
task.
19. From the

License.txt file,
copy the account
name and account
key, and then paste
them into the related
Registration fields.
20. Click Save on the Configuration Wizard

window.
21. Click No, reboot later on the Confirm

window.
 Caution: If you clicked Yes, reboot Now by

mistake or made a mistake during the
Configuration Wizard and can no longer
access the EdgeConnect via HTTPS, refer to
Appendix A, Issue #3.
22. Wait for the Save Changes and Reboot Required buttons to appear. If necessary,
refresh the Google Chrome window to cause the buttons to appear.
23. Click Save Changes.
24. Click Reboot Required.

INSTRUCTOR VERSION
25. Click Reboot on the Reboot window.
26. Close the ECV-1 tab. You don’t need to

wait for the EdgeConnect to reboot.
 Until you approve the EdgeConnect from

Orchestrator, you won’t be able to access it
via HTTP / HTTPS.

27. Repeat the instructions from Task 2: Record the MAC addresses of ECV-1’s
network adapters, but for ECV-2 during this task.
ECV-2 Information
Network MAC Address

2 SW 06 lan0
3 SW 08 wan0

28. Repeat the instructions from Task 3: Record the DHCP-assigned IP address of
mgmt0, but for ECV-2 during this task.

29. Repeat the instructions from Task 4: Complete the initial config wizard of ECV-1,
but for ECV-2 during this task.

INSTRUCTOR VERSION

30. Repeat the instructions from Task 2: Record the MAC addresses of ECV-1’s
network adapters, but for ECV-4 during this task.
ECV-4 Information
Network MAC Address

2 SW 13 lan0
3 SW 15 wan0
4 SW 16 wan1

31. Repeat the instructions from Task 3: Record the DHCP-assigned IP address of
mgmt0, but for ECV-4 during this task.

32. Repeat the instructions from Task 4: Complete the initial config wizard of ECV-1,
but for ECV-4 during this task.
Review
1) What is a VMware ESXi vSwitch port group?

It’s a virtual connection point that enables communication between VMs. It’s the virtual version of plugging devices into a L2 switch.
2) Why do you need to assign MAC addresses to the interfaces of an EC-V?

You need to associate the EC-V’s interfaces with the VM’s network adapters in VMware ESXi.

INSTRUCTOR VERSION
Lab 8: Approve ECV-1, ECV-2, and ECV-4

from the Orchestrator
Overview
 After initial configuration, you approve each EdgeConnect from Orchestrator. Once you
approve an EdgeConnect, you complete the Appliance Wizard to define settings for it.
Following this process, Orchestrator manages the EdgeConnect appliance. It’s a best
practice to define a static IP address to manage each EdgeConnect, which you do
during this lab.
Objectives
 Approve EdgeConnect appliances from Orchestrator
 Use the Appliance Wizard
 Configure a static IP address for each EdgeConnect appliance’s mgmt0 interface
Instructions
Task 1: Verify that ECV-1, ECV-2, and ECV-4 have finished rebooting
1. From VMware ESXi, click Virtual Machines in the Navigator pane.
2. Click on the name of ECV-1. The ECV-1 pane appears.
3. Click the console window

thumbnail to open a console
window for ECV-1.
4. Verify that the window shows

The Appliance Manager is at
http://192.168.1.X.
5. Close the ECV-1 console

window.
6. Repeat steps 1-5 for ECV-2, and

then again for ECV-4.
 Verifying that the EdgeConnect appliances have finished rebooting helps to ensure that
Orchestrator shows them as Reachable during a later task.

INSTRUCTOR VERSION
Task 2: Open Orchestrator’s Discovered Appliances tab

7. From Orchestrator, open the Discovered Appliances
tab. (Click the green Appliances Discovered button.)
8. Click Refresh Discovery Information. It’s not an

issue if the IP address field doesn’t show an entry.
 Caution: If any EdgeConnect continues to show

Unreachable in the Reachability column after you click
this button several times, notify your instructor.
Task 3: Approve ECV-1 from Orchestrator

9. From Orchestrator’s Discovered Appliances tab, on the row for ECV-1, click
Approve.
10. Click Skip on

the Upgrade
Appliance
window.

INSTRUCTOR VERSION
Task 4: Complete the Appliance Wizard for ECV-1

11. Enter these settings on page 1:
a. Group: Site 1 - Singapore
b. Admin Password: Speak-123
c. Confirm Password: Speak-123
d. City: Singapore
e. State: Delete the entry
f. Zip Code: Delete the entry
g. Country: Singapore
h. Hub Site: Not Selected
12. Click Next on page 1.
13. Click the Deployment Profile

drop-down list, and then click Hub
Site. This assigns the Hub Site
deployment profile to ECV-1.

INSTRUCTOR VERSION
14. Enter these settings on page 2 of the Appliance Wizard:
a. lan0 (Data) interface: 10.110.10.100/24
b. lan0.131 (Voice) sub-interface: 10.110.13.100/24
c. lan0.132 (GuestWifi) sub-interface: 10.110.14.100/24
d. wan0 (MPLS1) interface: 10.110.103.100/24
e. wan1 (INET1) interface: 10.110.104.100/24
f. wan2 (LTE) interface: 10.110.105.100/24
g. wan0 next-hop: 10.110.103.1
h. wan1 next-hop: 10.110.104.1
i. wan2 next-hop: 10.110.105.1
16. Click Next on page 3. You don’t use loopback addresses during the DST labs.

INSTRUCTOR VERSION
17. Enter these settings for page 4:
a. Use SD-WAN Fabric Learned Routes: Selected
b. Automatically advertise local LAN subnets: Selected
c. Automatically advertise local WAN subnets: Not selected
18. Click Next for page 4.
19. Select these items on page 5:
a. Add Business Intent Overlays to this Site:
 RealTime: Selected
 Critical Apps: Selected
 BulkApps: Selected
 DefaultOverlay: Selected
b. Select Template Groups to be applied to this Site:
 Default Template Group: Selected

INSTRUCTOR VERSION
20. Click Apply on page 5. Orchestrator shows a list of operations on the Appliance
Wizard window.. All of them should have a status of Success, and the overall status
should be Done. If one of the operations should fail, click Go Back, and then click
Apply again.
21. When all of the operations show Success, click Close on the Appliance Wizard
window.

INSTRUCTOR VERSION

Approve.
23. Click Skip on the Upgrade Appliance window.
 Repeat the instructions from Task 3: Complete the Appliance Wizard for ECV-1, but
for ECV-2 during this task.
a. Group: Site 2 - Mumbai
d. City: Mumbai
e. State: Delete the entry
f. Zip Code: Delete the entry
g. Country: India
h. Hub Site: Not selected
25. Click Next.

drop-down list for ECV-2, and then
click MPLS Branch Office. This
assigns the MPLS Branch Office
deployment profile to ECV-2.

INSTRUCTOR VERSION
c. wan0 (MPLS1) interface: 10.110.108.100/24
d. wan0 next-hop: 10.110.108.1
31. Click Next.
Wizard window. All of them should have a status of Success, and the overall status
Apply again.
window.

INSTRUCTOR VERSION

Approve.
36. Click Skip on the Upgrade Appliance window.
 Repeat the instructions from Task 3: Complete the Appliance Wizard for ECV-1, but
for ECV-4 during this task
a. Group: Site 3 - Santa Clara
d. City: Santa Clara
e. State: CA
f. Zip Code: Leave blank
g. Country: US
h. Hub Site: Not selected
38. Click Next.

drop-down list, and then click Data
Center. This assigns the Data
Center deployment profile to
ECV-4.

INSTRUCTOR VERSION
c. lan0.132 (GuestWifi) sub-interface: 10.110.41.101/24
d. wan0 (MPLS1) interface: 10.110.115.101/24
e. wan1 (INET1) interface: 10.110.116.101/24
f. wan0 next-hop: 10.110.115.1
g. wan1 next-hop: 10.110.116.1
41. Click Next for page 2.
44. Click Next.
Wizard window. All of them should have a status of Success, and the overall status
Apply again.
window.

INSTRUCTOR VERSION
48. Close the Discovered Appliances tab.
49. From Orchestrator’s tree view, click the disclosure triangle for each group.
ECV-1, ECV-2, and ECV-4 should each be a member of a respective group.
Task 9: Configure Orchestrator’s tree view
50. From Orchestrator’s tree view, click the Settings icon .
51. Click the Show IP box.
52. Click the Close button . Orchestrator shows the hostname and IP address of
each EdgeConnect appliance’s mgmt0 interface in the tree view.
Task 10: Configure ECV-1’s mgmt0 with a static IP address

53. From Orchestrator’s tree view, open the Site 1 - Singapore group, right-click
ECV-1, and then click Appliance Manager. Orchestrator logs in the admin account
to the web interface of the ECV-1 appliance.
54. Open the Hostname/IP

window. (Administration > [Basic
Settings] > Hostname / IP)
55. Click the DHCP check box for
mgmt0, and then click the
check box a second time to
remove the check mark.
56. Enter the IP address

192.168.1.4/24.
57. Click Apply. A status window with Applying Hostname/IP changes appears. If this
continues for more than 1 minute, refresh the Google Chrome window from the
Landing Desktop PC.
58. Click Save Changes in the upper-right area. You might have to wait for a few
seconds for this button to appear.
59. Close the Google Chrome tab for ECV-1.
Task 11: Configure mgmt0 of ECV-2 and ECV-4 with a static IP address
60. Repeat the steps you used in Task 8: Configure ECV-1’s mgmt0 with a static IP
address, but for ECV-2 with the IP address 192.168.1.5.

INSTRUCTOR VERSION
61. Repeat the steps you used in Task 8: Configure ECV-1’s mgmt0 with a static IP
address, but for ECV-4 with the IP address 192.168.1.7.
 If you see a warning alarm for the NTP server, you can ignore it. This is a cosmetic
issue that can happen in the ReadyTech environment.
Task 12: Verify the Aruba SD-WAN

62. From Orchestrator, open the Topology tab.
(Monitoring > [Summary] > Topology) By default,
Orchestrator shows each EdgeConnect on the
topology map at the address you entered during the
Appliance Wizard.
 in this version of Orchestrator software, you must refresh the Google Chrome web
browser window for Orchestrator to correctly display the topology map.
63. Click the Settings icon to show the topology map’s settings, and then
review them.
64. If not already in position, click and drag the Grouping Radius slider to the far-left
below Min.
65. If necessary, click the Zoom In and Zoom Out buttons to adjust the topology
map’s zoom level so you can see all of the EdgeConnect appliances on it.
66. Click the settings icon again to close the topology map’s settings.
67. Observe the color changes in the circles around each EdgeConnect and the lines
that represent tunnels between them. An EdgeConnect has a red circle if the
Orchestrator can’t communicate with it. This clears after the EdgeConnect finishes
booting and starts to communicate with Orchestrator. The tunnels change to orange
or red if they have connectivity issues. Green indicates a tunnel with an Up status.
 This process takes about 10 minutes for each EdgeConnect in the lab to communicate
with Orchestrator and establish their tunnels. In a production network, this process
takes about 5 minutes. During this lab, if this process
takes more than 10 minutes, you can also synchronize
Orchestrator’s information for each EdgeConnect.
(Administration > [Tools] > Synchronize)

INSTRUCTOR VERSION
68. On the Topology tab, verify that the drop-down list is set to All Overlays.
69. Position your cursor

over the green
overlay tunnel
between ECV-1 and
ECV-4 until the line
becomes slightly
wider, and then click the line. This opens a Tunnels window for ECV-1 and ECV-4.
Each EdgeConnect might be on the left side or the right side. Orchestrator
determines how it shows the appliances. The window shows each overlay with a
plus symbol next to it.
70. Click the plus

symbol next to
each overlay to show
its underlay tunnels.
71. Click the Live View
icon on the
right side of the
top row with the

INSTRUCTOR VERSION
to_ECV-4_BulkApps overlay. Orchestrator starts to show a real-time bandwidth

usage chart. The top section, to_ECV-4_BulkApps, is the overlay tunnel. The
second and third sections are the underlay tunnels for the MPLS1-MPLS1 links and
the INET1-INET1 links.
 The tunnels only show traffic for keepalive packets because you have not opened any
other types of connections between the sites.
72. Click Close on the Live View window.
73. Click Close on the Tunnels window.
74. From Orchestrator’s tree view, select only ECV-1 and ECV-4.
75. Enter Tunnels in the Search Menu field.

76. Click the top row that shows Configuration ->
Networking -> Tunnels -> Tunnels.
77. Click Underlay.
78. On the Tunnels tab, click the Traceroute iconfor the row with the
to_ECV-4_MPLS1-MPLS1 underlay tunnel. The Traceroute window shows the
underlay’s hop-by-hop
latency.
79. Click Close on the

Traceroute window.
80. Close the Topology tab.
81. Close the Tunnels tab.
Task 13: Test the connection between TG-1011 and TG-2011

82. From the Landing Desktop PC, open a remote desktop window for TG-1011. (Start
> Remote Desktop Connection > TG-1011 > Connect)

INSTRUCTOR VERSION
83. From Orchestrator’s tree view, click 3 Appliances to

select all of the EdgeConnect appliances.
84. Open the Flows tab. (Monitoring >

[Bandwidth] > [Flows] > Active & Recent
Flows)
85. Enter 10.110.20.11 in the IP/Subnet field.
86. Verify that only Active is selected. If not, click
Ended to deselect it so that only active flows
appear, and then click Apply.
87. From TG-1011’s RDP window, right-click the

TG-2011 Files shortcut, and then click Open. This opens a CIFS
connection between TG-2011 and TG-1011.
88. From Orchestrator’s Flows tab, click the refresh button .

One Cifs_smb flow for ECV-1 an one Cifs_smb flow for ECV-2
appear.
 If you don’t see any flows, they have timed out. Repeat the two previous steps again to
see the two flows.

INSTRUCTOR VERSION
89. Position your cursor over the Inbound Tunnel and

Outbound Tunnel for each flow for ECV-1. You should
see to_ECV-2_DefaultOverlay for each one.
90. Position your cursor over the Inbound Tunnel and

Outbound Tunnel for each flow for ECV-2. You should
see to_ECV-1_DefaultOverlay for each one.
91. From the TG-1011 RDP window, close the

\\TG-2011\Shared_Files window, and minimize the
window.
Review
1) If the Discovered Appliances tab shows the wrong information for an EdgeConnect, what
button should you click?
Refresh Discovery Information
2) What is the purpose of the Appliance Wizard?

You configure an EdgeConnect with it. This includes applying a deployment profile, BIOs, and Template Groups.
3) On the Topology tab, what do blue, red, orange, and green lines indicate about tunnels?
Blue = pending, red = down, orange = partially down, and green = up.
4) What can Live View show about an overlay and its underlays?
Charts: Bandwidth, Loss, Jitter, Latency, and MOS. Traceroute chart. Tunnels: Up, No Meeting Service Levels, or Down.
5) What is the purpose of Orchestrator’s Flows tab?

It shows information from appliances about SD-WAN overlay traffic flows and passthrough traffic flows.

INSTRUCTOR VERSION
Lab 9: Modify BIO Settings

 Previously, you used the default settings for the four preconfigured BIOs. During this
lab, you modify the BIOs’ settings SD-WAN Traffic to Internal Subnets settings and
their Breakout Traffic to Internet & Cloud Services settings. You then use a CIFS
session to test
Objective
 Distinguish between passthrough traffic, backhauling internet traffic via an overlay, and
local internet breakout
 Configure a BIO’s Peer Unavailable Option to enable passthrough traffic
 Configure necessary settings for backhauling internet traffic
 Configure local internet breakout
Instructions
 Previously, you reviewed the default settings of the four

preconfigured BIOs. As you recall, the default settings uses
interfaces that the EdgeConnect appliances don’t have.
Therefore, the BIOs don’t need to have the cross-connect
group enabled
Task 1: Modify the RealTime BIO

1. From Orchestrator’s tree view, click 3 Appliances.
2. Open the Buiness Intent Overlays tab. (Configuration >

[Overlays & Security] > Business Intent
Overlays)
3. Open the SD-WAN Traffic to Internal
Subnets tab of the RealTime BIO.
 An overlay uses the SD-WAN Traffic to Internal Subnets settings to reach internal
destinations that match the subnets in the Internet Traffic Definition feature. SD-WAN
traffic includes breakout traffic backhauled to an EdgeConnect hub.

INSTRUCTOR VERSION
4. Drag & drop these interfaces from the Primary field and Backto the Available
Interfaces field:
a. INET2
b. MPLS2
 None of the EC-V appliances in the DST lab have these

interfaces.
5. Click the Add Backup if Above Are drop-down list, and then click Not Meeting
Service Levels.
6. Enter these Service Level Objective values:
a. Loss: 2%
b. Latency: 100 ms
c. Jitter: 0 ms Not configured
7. Click the Peer Unavailable Option drop-down

list, and then click Use MPLS1.
 In the event that an EdgeConnect doesn’t have a

route via an overlay for a destination IP address, it
invokes the Peer Unavailable Option. MPLS is
typically considered secure, whereas sending
unencrypted traffic over the Internet is not
considered secure. Therefore, by configuring the Peer Unavailable Option to Use
MPLS1, each EC-V can still reach TG-11411 (10.110.114.11).
8. Click the Breakout Traffic to Internet & Cloud Services tab.
9. Drag & drop the INET2 interface from the Primary field to the Available Interfaces
field.
10. Enter these Performance Threshold values:
a. Loss: 2%
b. Latency: 100 ms
c. Jitter: 0 ms Not configured
11. Click the box for Exclude Links That Are Below Performance Thresholds.

INSTRUCTOR VERSION
 ECV-1 and ECV-4 can now perform local internet breakout from their INET1 interfaces.
If the performance of their INET1 interfaces doesn’t meet the performance threshold
values for loss or latency, they switch from INET1 to LTE for local internet breakout. If
no interfaces meet the performance thresholds, the appliances refer to the Preferred
Policy Order.
 ECV-2 doesn’t have INET1 or LTE interfaces and can’t perform local internet breakout.
So, it tries to use the Backhaul Via Overlay option in the Preferred Policy Order.
12. Click OK on the Overlay Configuration window.
Task 2: Modify the CriticalApp BIO

13. Repeat steps 3-11 for the CriticalApps BIO.
 You add a rule to the Overlay ACL of the CriticalApps BIO. By

default CIFS matches the DefaultOverlay.
14. Click the Overlay ACL’s edit icon next to the match
criteria field.
15. Click Add Rule on the Associate ACL window.
16. Click the edit icon next to the Match

Everything rule.
17. Click More Options to view all of the match

criteria options.
18. Click the Application box.
19. Enter cifs in the Type to select field.

20. Click Cifs_smb in the drop-down list that appears.
 If you just type CIFS in the field without clicking Cifs_smb in the drop-down list, it won’t
have any effect as match criteria.
21. Click Save on the Match Criteria window.
22. Click Save on the Associate ACL window.
23. Click the Boost drop-down list, and then click Enabled.

INSTRUCTOR VERSION
Task 3: Modify the BulkApps BIO
 During this task, you modify the BulkApps BIO, and change its topology to Hub &
Spoke.
25. Repeat steps 3-11 for the BulkApps BIO.
26. From the SD-WAN Traffic to Internal Subnets tab, click the Boost drop-down list,
and then click Enabled.
27. Click Mesh in the Topology field.
28. Click Hub & Spoke to change the topology.
Task 4: Modify the DefaultOverlay BIO

30. Repeat steps 3-11 for the DefaultOverlay BIO.
31. Click the Boost drop-down list, and then click Enabled.
33. Click Save and Apply Changes to Overlays on the Business Intent Overlays tab.
34. Click Save on the Confirm Changes window.
35. Click Orchestration ETA: 5m, 3 sites in the upper-right

corner of Orchestrator’s interface. The time can vary.
36. When the orchestration is done for every EdgeConnect, click Close.
 Orchestrator pushed all of the BIO configuration changes to the EdgeConnect

appliances.
37. Close the Business Intent Overlays tab.
Task 5: Configure ECV-1 as a hub
 ECV-1 has MPLS, INET, and LTE WAN interfaces. If you add ECV-1 as a hub, it acts
as a hub for every overlay that Orchestrator applies to it. Therefore, ECV-2 can
backhaul internet traffic to ECV-1.
38. Open the Hubs tab. (Configuration > [Overlays &

Security] > Hubs)
39. Click the Type to select field, and then click ECV-1.

INSTRUCTOR VERSION
40. Click Add Hub.
 The Orchestrator performs orchestration to push this configuration change to ECV-1.
41. Click the Google Chrome refresh button on the Landing Desktop PC to see
the updated hubs table that shows ECV-1 if it doesn’t appear automatically.
a. For which overlays is ECV-1 a hub?

It’s a hub for all four preconfigured BIOs: RealTime, CriticalApps, BulkApps, and DefaultOverlay.
42. Close the Hubs tab.
Task 6: View the topology of the overlays’ tunnels

43. Open the Topology tab. (Monitoring > [Summary] >
Topology)
44. Click the All Overlays drop-down list, review the
topology map for each overlay, and then answer these questions:
a. What is different about the BulkApps overlay’s topology than the other overlays?
BulkApps has a Hub & Spoke topology.
b. Which topology do the other overlays have?

Mesh topology.
45. Close the Topology tab.
Task 7: Ping from TG-3511 to UBU-1
 During this task, you test local internet breakout via ECV-4.
> Remote Desktop Connection > TG-3511 > Connect)
47. From Orchestrator’s tree view, click 3 Appliances to select all of the EdgeConnect
appliances.
48. Open the Flows tab. (Monitoring >

[Bandwidth] > [Flows] > Active & Recent
Flows)
49. From Orchestrator’s Flows tab, enter 11.1.1.11 in the IP/Subnet field.
50. Click Apply.

INSTRUCTOR VERSION
51. From TG-3511, open a command prompt window.
52. Enter ping 11.1.1.11 at the command

prompt. The ping works.
53. From the Flows tab, click the Flow Detail icon .
54. Answer these questions:
a. Which overlay does the ping match?

DefaultOverlay
b. What is the Tx Reason?

primary. (The primary interface for local internet breakout is wan1 / INET1 / 10.110.116.101.)
c. What is the WAN routing?

Passthrough_INET1_DefaultOverlay (nexthop_10.110.116.1_wan1). (Breakout via INET1 to 10.110.116.1.)
Task 8: Open a CIFS connection between TG-2011 and UBU-1
 During this task, you test backhauling CIFS breakout traffic via ECV-2.
 In the ReadyTech environment, UBU-1 (11.1.1.11) represents a system on the Internet.
55. From TG-2011, open the UBU-1 Files desktop shortcut.
56. From Orchestrator’s Flows tab, click the refresh

button. Two dropped flows via ECV-2 appear with a source IP address
of 10.110.20.11 (TG-2011) and a destination IP address of 11.1.1.11
(UBU-1).
57. Click the Flow Detail icon to view additional information about either flow via
ECV-2, and then answer these questions:
a. What is the flow direction?

Outbound.
b. What are the ingress interface?

Ingress interface = lan0.

INSTRUCTOR VERSION
c. What is the Tx Reason?

Dropped due to overlay internet policy.
58. Close the Flow details window.
 ECV-2 is unable perform local internet breakout because it doesn’t have any INET or
LTE WAN interfaces. ECV-2 is also unable to backhaul the internet traffic because it
doesn’t have a route to the destination via an overlay. Drop is the last option in the
Preferred Policy Order of the Breakout Traffic to Internet & Cloud Services of the
DefaultOverlay BIO. Therefore, ECV-2 dropped the traffic.
Task 9: Add two static routes to ECV-1
 During this task, you add two static routes. ECV-1 will advertise these static routes via
subnet sharing to the other EdgeConnect appliances. Those appliances will use the
routes to backhaul traffic to ECV-1. ECV-1 will then use the default route to reach
UBU-1. The other route ensures that passthrough traffic can reach TG-11411.
59. From Orchestrator’s tree view, click ECV-1.
60. Return to the Routes tab.
61. In the routes table, click the edit icon next to ECV-1.
62. Click Add Route on the Routes - ECV-1 window.
63. Enter these settings for the first route:
a. Subnet/Mask: 10.110.114.0/24
b. Next Hop: 10.110.103.1
c. Metric: 60
d. Comments: For passthrough traffic to TG-11411
64. Click Add on the Add Route window.
65. Click Add Route on the Routes - ECV-1 window.
66. Enter these settings for the second route:
a. Subnet/Mask: 0.0.0.0/0
b. Next Hop: 10.110.104.1
c. Metric: 60
d. Comments: For passthrough traffic to UBU-1

INSTRUCTOR VERSION
67. Click Add on the Add Route window.
68. Click Apply on the Routes - ECV-1 window.
 ECV-1 now has the two static routes in its routes table.
69. From Orchestrator’s tree view, click ECV-2.
70. Review the routes table for ECV-2, and then answer this question:
a. Does ECV-2 have routes via an overlay to the hub, ECV-1, that can reach
TG-11411 and UBU-1?
Yes, it has two routes: 0.0.0.0/0 via ECV-1(HUB) and 10.110.114.0/24 via ECV-1(HUB).
b. How did ECV-2 learn this route?

ECV-2 learned the default route from ECV-1 via subnet sharing.
71. Close the Routes tab.
Task 10: Open a CIFS connection between TG-2011 and UBU-1 again
 In the ReadyTech environment, UBU-1 (11.1.1.11) represents a system on the Internet.
72. From Orchestrator’s tree view, click 3 Appliances to select all of the EdgeConnect
appliances.
73. Enter 11.1.1.11 in the IP/Subnet field of the Flows tab.

74. Click Apply.
75. From TG-2011, open the UBU-1 Files desktop shortcut. The
\\UBU-1\Shared_Files window opens.
76. From Orchestrator’s Flows tab, click the refresh button. Three flows
via ECV-1 and ECV-2 appear with a source IP address of 10.110.20.11 (TG-2011)
and a destination IP address of 11.1.1.11 (UBU-1).
77. Click the Flow Detail icon to view additional information about the flow via
ECV-2 with to_ECV-1 in the name of its tunnels, and then answer these questions:

Outbound.

INSTRUCTOR VERSION
b. What are the ingress and egress interfaces?

Ingress interface = lan0. Egress interface = Bonded Tunnel.
c. What is the LAN routing?

lan0.
d. What is the WAN routing?

to_ECV-1_CriticalApps.
ECV-1 with to_ECV-2 in the name of its tunnels, and then answer these questions:

Inbound

Ingress interface = Bonded Tunnel. Egress Interface = None listed.

HAIRPIN1. (ECV-1 receives traffic from ECV-2 and forwards it to UBU-1.)

to_ECV-2_CriticalApps. (ECV-1 receives traffic from UBU-1 and forwards it to ECV-2 via the CriticalApps overlay.)
ECV-1 with Passthrough in the name of its tunnels, and then answer these
questions:

Outbound.

Ingress interface = wan0. Egress interface = wan1.

HAIRPIN2. (ECV-1 receives traffic from UBU-1 and forwards it to ECV-2.)

Passthrough_INET1_DefaultOverlay (nexthop_10.110.104.1_wan1). (Default route via 10.110.104.1.)

INSTRUCTOR VERSION
 TG-2011 initiates a connection to UBU-1 which ECV-2 receives. ECV-2 can’t perform
local internet breakout because it doesn’t have INET1 or LTE WAN interfaces. ECV-2
backhauls traffic via the to_ECV-1_CriticalApps overlay to the hub, ECV-1. ECV-1 uses
its default route via 10.110.104.1 to forward passthrough traffic to UBU-1. ECV-1
receives passthrough traffic from UBU-1. ECV-1 forwards the traffic via the
to_ECV-2_CriticalApps overlay to ECV-2. ECV-2 then forwards the traffic from its lan0
interface to TG-2011.
Review
1) How does the topology change to Hub & Spoke for the BulkApps BIO affect its tunnels?
The overlay only establishes IPsec UDP underlay tunnels from ECV-2 and ECV-4 to the hub, ECV-1.
2) Why was TG-3511 able to ping UBU-1?

ECV-4 performed local internet breakout via its INET1 WAN interface to reach UBU-1.
3) Why was ECV-2 unable to backhaul traffic at first?

ECV-2 didn’t have a route to 11.1.1.11 via an overlay for backhaul traffic.
4) Why did this work after you added the default route via 10.110.104.1 to ECV-1?
ECV-1 advertised this route via subnet sharing to ECV-2 which could backhaul via an overlay to ECV-1 which could reach UBU-1.

INSTRUCTOR VERSION
Lab 10: Install ECV-5 from an OVA File

Overview
 With physical appliances, ECOS is already installed on the appliance. However, since
the virtual appliances don’t have hardware, you install each EC-V in your hypervisor
from an OVA file. In this lab, you install ECV-5.
Objectives
 Install an EC-V appliance from an OVA file in VMware ESXi
 Add network adapters to an EC-V
 Configure a static IP address for an EC-V appliance’s mgmt0 interface
Instructions
Task 1: Install ECV-5 from an OVA file
1. From VMware ESXi, click Virtual Machines in the Navigator pane.
2. Click Create / Register VM.
3. Click Deploy a virtual machine

from an OVF or OVA file.
4. Click Next.
5. Enter ECV-5 as the VM’s name.

6. Click the blue Click to select
files or drag/drop area.
7. Select ECV-9.0.3.0_89669.ova, and then click Open.
8. Click Next on the Select OVF and VMDK files window.
9. Click Next on the Select storage window.

INSTRUCTOR VERSION
 Caution: During the next step, ensure that you remove the check mark from the
Power on automatically box. If you power on the VM, the initial configuration
wizard won’t find the additional virtual network adapters you add during a later
task.
10. Configure these settings on the Deployment options window:
a. Network mappings: VM Network: SW 01 - Management
b. Disk provisioning: Thin
c. Power on automatically: Not selected
 In a production
SD-WAN, always
choose Thick disk
provisioning to avoid
performance issues.
You chose Thin in
this lab due to limited
resources in the
ReadyTech
environment.
11. Click Next on the Deployment options window.
12. Click Finish on the Ready to complete window.
13. Click Recent Tasks to expand it if you want to watch the progress of the installation.
When the Result column shows Completed successfully, ECV-5 is installed. The
installation should take about 5 minutes or less.
Task 2: Add three more network adapters to the ECV-5 VM
 ECV-5 already has Network Network adapter 1 for its mgmt0 interface. You add three
more new network adapters: 2, 3, and 4. Network adapter 2 is for the lan0 interface.
Network adapter 3 is for the wan0 interface. Network adapter 4 is for the wan1
interface.
14. Click Actions > Edit setttings.
15. Click Add network adapter for the first one.

INSTRUCTOR VERSION
16. Configure these settings for the first new network adapter:
a. vSwitch Port Group: SW 13
b. Status: Connect at power on: Selected
c. Adapter Type: VMXNET 3
d. MAC Address: Automatic
17. Click Save.
19. Click Add network adapter for the second one.
20. Configure these settings for the second new network adapter:
21. Click Save.
23. Click Add network adapter for the third one.
24. Configure these settings for the third new network adapter:
25. Click Save.
26. Click Power on.

INSTRUCTOR VERSION

27. From VMware ESXi, click Virtual Machines in
the Navigator pane.
28. Click the name of ECV-5 in the list of virtual machines.
29. In the Hardware

Configuration
section, click the
disclosure triangle
next to each of the
four network
adapters to show
their settings.
30. Review each network adapter’s settings, and then record the last two digits of each
MAC address in the following table.
ECV-5 Information
Network MAC Address

2 SW 13 lan0
3 SW 15 wan0
4 SW 16 wan1

INSTRUCTOR VERSION
 ECV-5 is already installed, but not completely configured. The next few steps show
another method for determining the mgmt0 IP address of an EC-V.
31. In VMware ESXi, open a console for ECV-5 in a new tab. (Console > Open console in
new tab)
32. The IP address is at the top of the console window. The last octet of the IP address
can vary. If the address is not present, notify your instructor.
33. Record the DHCP IP address of ECV-5’s mgmt0 interface: __________________
 If your cursor becomes stuck in the VMware ESXi console window, enter CTRL + ALT
on your keyboard to release the cursor. If you’re using a Mac computer, enter
CTRL + Option.
34. Close the ECV-5 console tab.
Review
1) From what type of file do you install an EdgeConnect virtual appliance in VMware ESXi?
.OVA file

INSTRUCTOR VERSION
Lab 11: Configure ECV-5 with Appliance

Preconfiguration
Overview
You can create an appliance preconfiguration YAML file for an EdgeConnect from
Orchestrator. You use a physical appliance’s serial number or an EC-V’s appliance tag, to
specify which YAML file Orchestrator applies to an EdgeConnect. When Cloud Portal reports a
new EdgeConnect to Orchestrator, you can approve the appliance manually or automatically.
In this lab, you manually approve the new EC-V, and then apply the appliance preconfiguration
YAML file which configures it.
Objective
 Create an appliance preconfiguration YAML file
 Configure an appliance preconfiguration YAML file
 Apply an appliance preconfiguration file to an EC-V to automate its configuration
Instructions
Task 1: Create a preconfiguration file for ECV-5
1. From Orchestrator, open the
Preconfigure Appliances tab.
(Configuration > [Overlays &
Security] > [Discovery] >
Preconfiguration)
2. Click New on the Preconfigure
Appliances tab.
3. Enter ECV-5_Config as the YAML file’s

name.
4. Enter ECV-5_tag in the Appliance Tag

field.

INSTRUCTOR VERSION
5. Click in the text

field on the right
side, select all of
the text, and then
delete it.
6. From the Landing Desktop

PC, open the DST Lab Files
desktop shortcut.
7. Open the ECV-5_YAML.txt file.
8. Click in the YAML file, and then

select all of the text.
9. Copy the text, and then paste it

into the empty text field of the
new YAML file on the
Appliance Preconfiguration
window.

INSTRUCTOR VERSION
10. Click Validate. The

message
Preconfiguration is
valid should appear. If
not, use the message
to determine the
location of the error.
Correct the error, and
then repeat this step.
11. Click Save. The file appears in the Preconfigure Appliances list with a status of
Pending Discovery.
12. Close the Preconfigure Appliances tab.

13. Open a new tab in Google Chrome on the Landing Desktop PC.
14. Enter the IP address of ECV-5’s mgmt0 interface into the Google Chrome
address bar. You recorded
16. Log in to ECV-5 with these credentials:
a. User Name: admin

b. Password: admin
Intial Config Wizard to open it.
18. Enter ECV-5 in the Appliance Hostname field.
19. Assign the correct MAC address to each interface based on the ECV-5 Information
table you noted during Task 3: Record the MAC addresses of ECV-5’s network
adapters of Lab 10.

INSTRUCTOR VERSION
20. From the License.txt

file, copy the account
name and account
key, and then paste
them into the related
Registration fields.
 Caution: The next step is essential to make the Appliance Tag of ECV-5 match
the Appliance Tag of the YAML preconfiguration file during Task 5: Apply the
Appliance Preconfiguration for ECV-5.
21. Enter ECV-5_tag in the Appliance Tag field.
22. Click Save on the Configuration Wizard window.
23. Click No, reboot later on the Confirm

window.
 Caution: If you clicked Yes, reboot Now by

mistake or made a mistake during the
Configuration Wizard and can no longer
access the EdgeConnect via HTTPS, refer to
Appendix A, Issue #3.
24. Wait for the Save Changes and Reboot Required buttons to appear. If necessary,
refresh the Google Chrome window to cause the
buttons to appear.
25. Click Save Changes.

INSTRUCTOR VERSION
26. Click Reboot Required.
27. Click Reboot on the Reboot window.
28. Close the ECV-5 tab. You don’t need to

wait for the EdgeConnect to reboot.
 Until you approve the EdgeConnect from

Orchestrator, you won’t be able to access it
via HTTP / HTTPS.
Task 3: Open Orchestrator’s Discovered Appliances tab

29. From Orchestrator, in the top-right corner, click the
Appliances Discovered button to open the Discovered
Appliances tab.
30. Click Refresh Discovery Information. It’s not an issue if

the IP address field doesn’t show an entry.
 Caution: If any EdgeConnect continues to show Unreachable in the Reachability

column after you click this button several times, notify your instructor.

31. From Orchestrator’s Discovered Appliances tab, on the row for
ECV-5, click Approve.
32. Click Skip for Upgrade Appliance.
Task 5: Apply the Appliance Preconfiguration for ECV-5

33. The Apply Appliance Preconfiguration window appears. The ECV-5_tag
Appliance Tag caused Orchestrator to show the ECV-5_Config file. The
Preconfiguration and Discovered appliance tags are both ECV-5_tag.
34. If ECV-5_Config is not already in the Name field, enter it now.
35. Before you apply the preconfiguration file, scroll through these lines of YAML code
and answer these questions:
a. What is on lines 61 to 75?

Appliance Info that includes the hostname, group, and address.
b. What is on lines 84 to 86?

The Default Template Group.

INSTRUCTOR VERSION
c. What is on lines 93 to 98?

A list of the Business Intent Overlays.
d. What is on lines 298 to 341?

Deployment information: Deployment mode, bandwidth, and interface settings.
e. What is on lines 394 and 395?

SD-WAN licensing information and the amount of Boost.
f. What is on lines 446 to 450?

Subnet sharing settings.
36. Click Apply Preconfiguration. The Appliance Preconfiguration Apply Status

window
appears.
37. Verify that

each item
lists
Success,
and that the
Status is
Success. If
any issues
occur, notify
your
instructor.
 It takes about 5 minutes for Orchestrator to apply the preconfiguration to ECV-5. This
process includes a reboot of ECV-5.
38. Click Close on the Appliance Preconfiguration Apply Status window.
39. Close the Discovered Appliances tab.
Task 6: Configure ECV-5’s mgmt0 with a static IP address
 You need to wait for several minutes while Orchestrator synchronizes with ECV-5.
When ECV-5 has a solid icon and text in Orchestrator’s tree view, the synchronization
is done.
40. From Orchestrator’s tree view, right-click ECV-5, and then click Appliance
Manager. Orchestrator logs in the admin account to the web interface of the ECV-5
appliance.

INSTRUCTOR VERSION
41. Open the Hostname/IP

window. (Administration > [Basic
Settings] > Hostname / IP)
42. Click the DHCP check box for
mgmt0, and then click the
check box a second time to
remove the check mark.
43. Enter the IP address

192.168.1.8/24.
44. Click Apply. A status window with Applying Hostname/IP changes appears. If this
continues for more than 1 minute, refresh the Google Chrome window from the
Landing Desktop PC.
45. Click Save Changes in the upper-right area.
 After several minutes, Orchestrator’s tree view shows the updated management IP
address for each EdgeConnect. Once Orchestrator’s tree view shows the management
IP addresses the DST Lab Topology diagram shows, you can click Generate New Key
Now when an account key notification appears in Orchestrator. You need to click Close
on the Cloud Portal window that appears after you do this.
46. Close the Google Chrome tab for ECV-5.
Review
1) What is the purpose of the appliance tag?

The appliance tag is the identifier that matches an appliance preconfiguration YAML file to a specific EC-V appliance.
2) Why is it important to validate an appliance preconfiguration file?

This ensures the file does not contain errors.

INSTRUCTOR VERSION
Lab 12: Configure Traditional HA

Overview
Site 3 - Santa Clara is a data center with ECV-4 and ECV-5 in a Traditional HA reference
architecture configuration. Both appliances have MPLS and internet WAN links. In this lab, you
configure VRRP and other settings that enable Traditional HA and ensure deterministic traffic
flows that avoid asymmetry.
Objective
 Configure the site name for EdgeConnect appliances
 Configure VRRP on EdgeConnect appliances
Instructions
Task 1: Configure the same site name for ECV-4 and ECV-5
 When EdgeConnect appliances are at

the same site, they build IPsec UDP
underlays between them unless you
specify the same site name for each one.
1. From Orchestrator’s tree view,

right-click ECV-4, and then click
System Information.
2. Click System Settings on the

System Information - ECV-4 window.
3. Enter Site 3 - Santa Clara in

the Site Name field.
4. Click Apply.
5. From Orchestrator’s tree view,

right-click ECV-5, and then click
System Information.
6. Click System Settings on the

System Information - ECV-5 window.

INSTRUCTOR VERSION
7. Enter Site 3 - Santa Clara in

the Site Name field.
8. Click Apply.
9. From Orchestrator’s tree view, click Site 3 - Santa Clara.
10. Open the Tunnels tab. (Configuration >

[Networking] > [Tunnels] > Tunnels)
11. Click Underlay on the Tunnels tab, and then

answer this question:
a. Do ECV-4 and ECV-5 have underlay tunnels between them?

No, because they have the same site name, they don’t have underlay tunnels between them.
Task 2: Configure VRRP for ECV-4

12. From Orchestrator’s tree view, select only the Site 3 -
Santa Clara group.
13. Open the VRRP tab. (Configuration > [Networking] >

VRRP)
14. From the VRRP tab, click the edit icon next to ECV-4.
15. From the VRRP - ECV-4 window, click Add VRRP.
16. Configure these VRRP settings for ECV-4.
a. Group ID: 1
b. Interface: lan0
c. Virtual IP: 10.110.35.254
d. Priority: 254
e. Preemption: Selected

INSTRUCTOR VERSION
17. Click Apply.
Task 3: Configure VRRP on ECV-5
18. From the VRRP tab, click the edit icon next to ECV-5.
19. From the VRRP - ECV-5 window, click Add VRRP.
20. Configure these VRRP settings for ECV-5.
a. Group ID: 1
b. Interface: lan0
c. Virtual IP: 10.110.35.254
d. Priority: 128
e. Preemption: Selected
21. Click Apply.
22. Close the VRRP tab.

INSTRUCTOR VERSION
Review
1) When would you use VRRP in an Aruba SD-WAN?

Reference architectures: Traditional HA, EdgeHA.
2) How do you ensure that an EdgeConnect is the VRRP master?

Give it the higher priority value. (1-254 are valid values)
3) Why would you choose to use VRRP preemption?

Preemption ensures that an EdgeConnect is the master when it’s operational.

INSTRUCTOR VERSION
Lab 13: Monitor Flows

Overview
Monitoring flows from Orchestrator is essential to understand how traffic flows through your
SD-WAN. You open a FTP file sharing connection between TG-1011 at Site 1 - Singapore and
TG-2011 at Site 2- Mumbai. You then view the flow and use built-in trend-charting functions
and usage displays.
Objectives
 Identify flows
 Examine flow details
 Identify which overlay and underlays a flow uses
 Use monitoring features that show trend charts
Instructions
Task 1: Open an FTP session between TG-2011 and TG-1011
1. From Orchestrator’s tree view, select ECV-1 and ECV-2.
2. From the Flows tab, click Clear.
3. Enter 10.110.10.11 in the IP/Subnet field.
4. Verify that only Active is selected. If not, click

Ended to deselect it so that only active flows
appear, and then click Apply.
> Remote Desktop Connection > TG-1011 >
Connect)
6. Open the FileZilla app.
7. Enter these credentials in FileZilla:
a. Host: 10.110.20.11
b. Username: anonymous
c. Password: Speak-123
INSTRUCTOR VERSION
8. Click Quickconnect.
Task 2: View the FTP flows between TG-1011 and TG-2011

9. From Orchestrator’s Flows tab, click the refresh button .
10. View the flows on ECV-1 and ECV-2.
11. Open the Flow Detail window for the flow via ECV-1, review its output, and then
close the window.
12. Open the Flow Detail window for the flow via ECV-2, review its output, and then
close the window.
13. Answer these questions:
a. Which overlay did the FTP flows match?

BulkApps
b. What is the Flow Direction for each flow?

ECV-2: Outbound. ECV-1: Inbound
c. Which overlay tunnel does the outbound flow via ECV-1 use?
Outbound: to_ECV-2_BulkApps. Inbound: to_ECV-2_BulkApps.
d. Which overlay tunnel does the inbound flow via ECV-2 use?
Inbound: to_ECV-1_BulkApps. Outbound: to_ECV-1_BulkApps.
14. Close the Flows tab.
Task 3: View the tunnels for the FTP flows

1. Open the Tunnels tab. (Configuration >
[Networking] > [Tunnels] > Tunnels)
2. Click Underlay on the Tunnels tab.
3. Enter BulkApps in the Search field.

INSTRUCTOR VERSION
4. How many underlay tunnels does the BulkApps overlay use?

8 underlay tunnels (8/10 Rows).
5. If you want to find underlay tunnels with a down status on the Tunnels tab, how
can you identify them?
Status drop-down menu. Click the Status column to show down underlays at the top.
6. Close the Tunnels tab.
Task 4: View the FTP session with monitoring features

7. From TG-2011’s RDP
window, right-click the
5_Trading.mdb file in
the Remote Site pane of
the FileZilla window, and
then click Download.
8. Paste the file

5_Trading.mdb to TG-
2011’s desktop. This
starts a file transfer with
CIFS traffic you can view
with monitoring features.
9. Open the Tunnel Bandwidth Trends tab.

(Monitoring > [Bandwidth] > [Tunnels] > Trends )
10. Verify that the boxes are active and show their colors.
a. If they have a pale color, they are inactive, and their

data won’t appear in the graphs.

INSTRUCTOR VERSION
11. Select these options on the Tunnel Bandwidth Trends tab:
a. Real Time
b. BulkApps Overlays drop-down list
c. Outbound
12. Click the refresh button .
13. The graph for to_ECV-2_BulkApps(ECV-1) shows the data that flows from
TG-1011 to ECV-1 to ECV-2 on its way to TG-2011. It shows the majority of the data
for the FTP flows.
14. The graph for to_ECV-1_BulkApps(ECV-2) shows the data that flows from
TG-2011 to ECV-2 to ECV-1 on its way to TG-1011. It is FTP data for requesting the
file and related acknowledgements.
15. Click Show Underlays below the graphs. These graphs show the data for the
underlays that carry the FTP flows.

INSTRUCTOR VERSION
16. Click Close.
17. Click Monitoring > [Bandwidth] > [Appliances] >

Trends to open the Bandwidth Trends tab.
18. Select these options on the Bandwidth Trends tab:
a. Real Time
b. All Traffic Traffic type drop-down list
c. Outbound
19. Click the refresh button .
20. The graphs show the overall bandwidth usage for ECV-1 and ECV-2.

INSTRUCTOR VERSION
 A strength of Aruba SD-WAN is its monitoring options. You can monitor the charts for
trend analysis over time. Some monitoring features have real-time view options, while
others display data after one hour or more.
21. Close the Tunnel Bandwidth Trends tab and the Bandwidth Trends tab.
Task 5: Close the FTP session

22. Go to the TG-2011 RDP window.
23. Close FileZilla.
24. If a file transfer is still in progress, click

Yes on the Close FileZilla window.
Task 6: Erase Network Memory for ECV-1 and ECV-2
 Erasing network memory for an appliance is a tool you can use to measure baseline
performance against which you can meausre the performance of an EdgeConnect
appliance’s populated disk cache. Don’t use this outside of a scheduled maintenance
window because it negatively affects performance until EdgeConnect rebuilds its disk
cache.
26. Click Administration > [Tools] > Erase Network

Memory.
27. Click the Erase

Network Memory
button.
28. Click Close after the appliances have erased their network memory.

INSTRUCTOR VERSION
Review
1) What useful information does a flow detail provide?

Route policy, overlay matched, Tx / Rx information, WAN / LAN routing information, security / firewall information.
2) Why would you use the Tunnel Bandwidth Trends tab?

It shows bandwidth through the overlay between two appliances. You can also see the bandwidth for the underlays the overlay uses.
3) Why would you use the Bandwidth Trends tab?

It shows the amount of LAN and WAN bandwidth that an EdgeConnect uses over a period of time.
4) When is it appropriate to use the Erase Network Memory feature?

During a maintenance window to establish baseline performance measuresments: empty disk cache vs. full disk cache.

INSTRUCTOR VERSION
Lab 14: Configure a Report

Overview
Organization’s teams and leadership use reports to make business decisions. In this lab, you
create, schedule, and view a custom report.
Objectives
 Create a report
 Schedule a report
 View a report
Instructions
Task 1: Create a report
1. From Orchestrator’s tree view, click 4 Appliances.
2. Open Schedule & Run Reports. (Monitoring >

[Reporting] > Schedule & Run Reports)
3. Click New Report.
4. Enter Training as the report’s name.

5. Click Save.

INSTRUCTOR VERSION
6. Configure the Training report with these options:
a. Appliances in Report: Use Tree Selection
b. Email Recipients: student@training.local
c. Traffic Type: All Traffic
d. Application Charts:
 Application Bandwidth
 Application Pie Charts
e. Tunnel Charts:
 All Overlays
 Health Map
 Flow Counts
 Loss
 Latency
f. Appliance
Charts
 Top Talkers
 Top Domains
 Top
Countries
Task 2: Schedule a report

7. Click Run Scheduled Report.
8. Click Edit next to the Run Scheduled Report box.

INSTRUCTOR VERSION
9. Configure these scheduled report options:
a. Daily
b. Every day
c. Time: 03:00
d. Starting On: (Click the

calendar icon .)
 Current date
 10 minutes from now
10. Click OK on the Schedule window.
11. Click Save on the Schedule & Run Reports tab.
Task 3: Run an on-demand report

12. Click Run Single Report with Custom
Time Range.
13. Click the left-side field and set the start time field to yesterday’s date at 08:00.
14. Click the right-side field and set the end time field to the current date and time.
a. As an alternative, you can also click the Now

button at the bottom of the calendar pop-up.
15. Click Run Now below the Scheduled or Single

Report section. While Orchestrator generates the
report, it shows a spinning circle icon and a Stop
button. When Orchestrator has generated the report,
it shows a success message at the bottom of the
window.

INSTRUCTOR VERSION
Task 4: View the on-demand report

1. Click View Reports at the top of the
Schedule & Run Reports tab.
2. Click the download icon to the right of the daily report. Google Chrome shows a
download notification in the bottom-left corner.
3. Click the arrow to the right of the download

notification, and then click Open. The report
PDF opens in a new Google Chrome tab.
4. Page 1 shows the Health Map.
5. Page 2 shows Application Pie Charts. Answer these questions:
a. What is the top application for Outbound LAN?

Cifs_smb or Icmp is probably the top application.
b. What is the top application for Outbound WAN?

Icmp is probably the top application.

INSTRUCTOR VERSION
6. Page 3 shows Application Bandwith and Loss.
7. Page 4 shows Latency and Tunnel Flow Counts.

INSTRUCTOR VERSION
8. Page 5 shows Top Talkers, Domains, and Countries. Answer the following
question:
a. What are the two top talkers?

The top talkers on the chart can vary.
9. Pages 5 and 6 show an Orchestrator Report Summary.
10. Close the View Reports tab.
11. Close the Schedule & Run Reports tab.

INSTRUCTOR VERSION
Task 5: View the emailed report

12. From the Landing Desktop PC, open the Thunderbird email client. (Start >
Thunderbird)
 Thunderbird takes about 1 minute to start.
13. Click the most recent Silver Peak Orchestrator Report: Training email to open it.
14. Review the sections of the emailed report.
15. Close Thunderbird.
Review
1) With what data granularity can you run reports?

Daily (14 days default) and hourly (24 hours default).
2) What types of charts can a report show?

Application charts, tunnel charts, and appliance charts.

INSTRUCTOR VERSION
Lab 15: Use Troubleshooting Tools

Overview
EdgeConnect appliances provide Ping, Traceroute, and Link Integrity Test utilities you can use
for troubleshooting purposes. In this lab, you use the Ping and Traceroute utilities to test
connectivity, and then verify the performance of a WAN connection between two EdgeConnect
appliances with the Link Integrity Test.
Objectives
 Use the ping utility and its options
 Use the traceroute utility and its options
 Use the Link Integrity Test utility
Instructions
Task 1: Ping from ECV-1 to TG-3511
1. In Orchestrator’s tree view, right click ECV-1, and then click Appliance Manager.
2. From ECV-1’s Appliance Manager, open the Ping / Traceroute window.

(Maintenance > [Tools] > Ping / Traceroute )
3. Ping from ECV-1 to ECV-2 over the MPLS WAN transport:
a. Click Ping.
b. Enter 10.110.35.11 in the IP/Hostname field.

c. Enter -I 10.110.103.100 as the source IP address. If you don’t specify the
-I option, the EdgeConnect uses its mgmt0 IP address as the source IP
address.
4. Click Start.
5. Review the ping output to verify connectivity.
6. Click Stop.
7. Click the Google Chrome refresh button .

INSTRUCTOR VERSION
Task 2: Perform a traceroute from ECV-1 to TG-3511

8. Traceroute from ECV-1 to TG-3511:
a. Click Traceroute.
b. Enter 10.110.35.11 in the IP/Hostname field.

c. Enter -s 10.110.103.100 as the source IP address.
 If you don’t specify the -s option, the EdgeConnect uses its mgmt0 IP address as the
source IP address.
9. Click Start.
10. Review the traceroute output to verify connectivity.
11. Click Stop.
Task 3: Use the Link Integrity Test between ECV-1 and ECV-2
 Caution: The Link Integrity Test is service impacting. Only use this tool during a
scheduled maintenance window.
13. Open the Link Integrity Test. (Administration > [Tools] > Link Integrity Test)
14. Configure these settings for the Link Integrity Test:
a. Bandwidth →: 2000
b. Bandwidth : 2000
c. Duration: 10
d. DSCP: any
e. Mode: to_ECV-2_MPLS1-MPLS1 - to_ECV-1_MPLS1_MPLS1
 This uses the MPLS underlay tunnels between ECV-1 and ECV-2.
f. Test Program: iperf
15. Click Start. Iperf runs for 10 seconds in each direction.
16. When the test is done, Orchestrator shows the results:
a. The test runs first in one direction, and then in the other direction.
b. The client side shows what the EdgeConnect sends.

INSTRUCTOR VERSION
c. The server side shows what the EdgeConnect receives.
d. Each row is one second and shows the amount of data transferred, the
bandwidth, the jitter, and the amount of packet loss.
Review
1) Why do you need to specify a data path source address for a ping or traceroute?
If you don’t do this, the EdgeConnect uses the IP address of its mgmt0 interface as the source IP address.
2) What information does the Link Integrity Test provide?

Amount of data transferred, bandwidth, jitter, and packet loss.

INSTRUCTOR VERSION
Appendix A: Solutions to Common Issues

Issue #1: Restarting Orchestrator
Only follow these steps if Orchestrator’s web interface fails to load in the web browser. If
needed, ask your instructor for assistance.
1. From the Landing Desktop PC, open VMware ESXi in Google Chrome.
(https://esxihost)
2. Click Virtual Machines in the Navigator pane.
3. Click the checkbox next to

Orchestrator in the list of virtual
machines.
4. Click Actions > Power > Reset.
5. Click Orchestrator in the list of

virtual machines.
6. Click the Orchestrator’s console

window.
7. Verify that Orchestrator reboots and returns to the Orchestrator login prompt.
8. Open Google Chrome on the Landing Desktop PC to https://192.168.1.254.
Issue #2: Resolving Non-US Keyboard Issues

If you find that your keyboard entries cause incorrect characters to appear on the screen, you
might need to use the on-screen keyboard.
1. Click the Readytech Desktop menu.
2. Choose Enable Viewer Toolbar.
3. Click the Keys drop-down menu.
4. Click Open onscreen keyboard.
5. Click and drag the on-screen keyboard over the console window. It might be
necessary for you to position the on-screen keyboard so that the letter you want to
enter is directly over the console window’s active area.

INSTRUCTOR VERSION
Issue #3: Unable to access EC-V after reboot following Initial

Configuration Wizard
Due to changes to the default deployment mode functionality, after you reboot an
EdgeConnect following the Initial Configuration Wizard, you can’t access it via HTTP/HTTPS
until you approve its registration from Orchestrator. If you applied the incorrect license account
name and / or account key, or you assigned the incorrect MAC addresses to the EdgeConnect
appliance’s interfaces, follow these steps:
1. From VMware ESXi, open a console window for the EdgeConnect.
2. Press F1 to start a command line interface (CLI).
 With some keyboards, you might need to enter the Fn (Function) key and the F1 key
together.
3. Enter the username admin and the password admin.
4. Enter enable at the command prompt.
5. Enter configure terminal.
6. Enter reboot empty-db.
 This command resets the EdgeConnect to factory default settings.
7. After the EdgeConnect is done rebooting, note the IP address at the top of the
console window.
 You need to wait about 2 minutes before the EdgeConnect accepts HTTPS connection
attempts
8. Open a Google Chrome tab, enter the https:// followed by the IP address from step
7, and then press Enter.
10. Log in to the EdgeConnect with these credentials:
a. User Name: admin
b. Password: admin
Intial Config Wizard on the appliance’s menu to open it.

INSTRUCTOR VERSION Template Version 2021.08 r1.2
Appendix B: DST Lab Topology

The 192.168.1.0/24 subnet is the out-of-band management network. Most devices also have one or more data path IP addresses with
the format 10.110.x.y/24. Site 1 represents a branch office. Site 2 is a regional office with one EdgeConnect, and another planned for
the future. Site 3 represents an organization’s campus that has two data centers, each with one EdgeConnect.
INSTRUCTOR VERSION
Appendix C: Summary of Orchestrator and EC-V Appliances

VMware ESXi Virtual Switch Next-hop IP
Virtual Machine Network Adapter (Port Group) MAC Address EC-V Interface IP Address Address
Orchestrator 1 SW 01 - Management Automatic N/A 192.168.1.254/24 192.168.1.253
ECV-1 1 SW 01 - Management 00:50:56:01:01:01 mgmt0 192.168.1.4/24 N/A

2 SW 02 00:50:56:01:01:02 lan0 10.110.10.100/24 N/A
3 SW 03 00:50:56:01:01:03 wan0 10.110.103.100/24 10.110.103.1
4 SW 04 00:50:56:01:01:04 wan 1 10.110.104.100/24 10.110.104.1
5 SW 05 00:50:56:01:01:05 wan2 10.110.105.100/24 10.110.105.1

2 SW 06 00:50:56:02:02:02 lan0 10.110.20.100/24 N/A
3 SW 08 00:50:56:02:02:03 wan0 10.110.108.100/24 10.110.108.1

2 SW 13 00:50:56:04:04:02 lan0 10.110.35.101/24 N/A
3 SW 15 00:50:56:04:04:03 wan0 10.110.115.101/24 10.110.115.1
4 SW 16 00:50:56:04:04:04 wan1 10.110.116.101/24 10.110.116.1
ECV-5 1 SW 01 - Management Automatic mgmt0 192.168.1.8/24 N/A

2 SW 13 Automatic lan0 10.110.35.102/24 N/A
3 SW 15 Automatic wan0 10.110.115.102/24 10.110.115.1
4 SW 16 Automatic wan1 10.110.116.102/24 10.110.116.1

INSTRUCTOR VERSION
Appendix D: User IDs and Passwords Lab Access Code
System/Platform User Password Notes

Windows PC. Access other devices
Landing Desktop PC Administrator Speak-123 from it.
Access via Google Chrome from
VMware ESXi web client root Training1! the Landing Desktop PC.
Orchestrator admin Speak-123 Initial default password: admin
EdgeConnect appliances
(ECV-1, 2, 4, and 5) admin Speak-123 Initial default password: admin
Traffic Generator PCs

(TG-1011, TG-2011, TG-3511, TG-11411) Administrator Speak-123 Traffic generator PCs at each site.
student (UBU-1)
FTP servers anonymous (TG PCs) Speak-123 (both) Use the Quickconnect button.
hMail Server Provided by hMail Server. Speak-123 Not for student use.
Kwanem Emulators
root Speak-123
(K1-MPLS, K2-Internet, K3-LTE) Not for student use.

202 DST STUDENT GUIDE 9.0.4 9.0.3 v3.1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

202 DST STUDENT GUIDE 9.0.4 9.0.3 v3.1

Uploaded by

Copyright:

Available Formats

INSTRUCTOR VERSION Template Version 2021.08 r1.

202 - Deploying SD-WAN

Deploying SD-WAN Technologies (DST) Student Guide

Date: May 2022

Warranties and Disclaimers

Aruba, A Hewlett Packard Enterprise Company

202 - DST 9.0.4 9.0.3 Student Guide page 2 of 108

202 - DST 9.0.4 9.0.3 Student Guide page 3 of 108

Lab 1: Orchestrator Installation and Initial

 Access the remote ReadyTech environment

 Install Orchestrator from an OVA file

 Configure new Linux root and admin account passwords

 Configure Orchestrator with the orch-setup utility

 This bulleted text indicates clarifying information.

This text indicates important information.

This text indicates clarifying text for a setting you configure.

This text indicates a path of menu items you click.

202 - DST 9.0.4 9.0.3 Student Guide page 4 of 108

Task 2: Written instructions and screenshots

b. Opening and closing windows in Microsoft Windows: Click the X button in

d. Navigating between windows and applications in Microsoft Windows: In the

Task 3: Connect to the ReadyTech environment

8. Open your preferred web browser on your local PC.

9. Enter https://SilverPeak.InstructorLed.Training in the web

202 - DST 9.0.4 9.0.3 Student Guide page 5 of 108

10. Enter your access code.

11. Click Log in.

12. Enter your first name and

13. Select the box to agree to

14. Click OK.

15. Verify that the status of

16. Verify that the ReadyTech Viewer is the selected

17. Click Connect to the lab in the Remote Desktop

18. Sign in to the Landing Desktop PC with these credentials:

a. Click the Administrator user

 This course uses licensed versions of

202 - DST 9.0.4 9.0.3 Student Guide page 6 of 108

Task 4: Verify the deployment of all virtual machines

21. Click Advanced on the Your

 If you see any warning pop-up messages

 During the DST labs, each time you open

22. Log in with these credentials:

a. User name: root

 If you can’t log in, click the Google

202 - DST 9.0.4 9.0.3 Student Guide page 7 of 108

25. Verify that each VM has a green icon to the left of

Task 5: Install the Orchestrator from an OVA

27. Click Deploy a virtual machine

28. Enter Orchestrator as the

29. Click the blue area with Click to

30. Click the Orchestrator-9.0.4.ova

202 - DST 9.0.4 9.0.3 Student Guide page 8 of 108

32. Click Next on the Select storage

 Caution: You must set Orchestrator’s VM network to SW 01 - Management, or

33. Choose these settings on the

34. Click Next on the Deployment

35. Click Finish on the Ready to

202 - DST 9.0.4 9.0.3 Student Guide page 9 of 108

a. Upload disk - Orchestrator-9.0.4-disk.vmdk (1 of 1)

 The installation process

Task 6: Review the lab topology diagram

37. Open a new tab in Google Chrome.

38. Click the DST Lab Topology bookmark.