Professional Documents
Culture Documents
ASD 9.2 Lab Guide v1.8
ASD 9.2 Lab Guide v1.8
ASD 9.2 Lab Guide v1.8
Lab Guide
for
ASDInstructor-Led
9.2 v1.8 – and Self-Paced
December versions of the course
1, 2023
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 1 of 211
DRAFT
Trademark Notification
The following are trademarks of Silver Peak (acquired by Aruba, a Hewlett Packard Enterprise
company, in 2020): Silver Peak SystemsTM, the Silver Peak logo, Network Memory™, Silver Peak
NX-Series™, Silver Peak VX-Series™, Silver Peak VRX-Series™, Silver Peak Unity EdgeConnect™,
Silver Peak Orchestrator™, Aruba EdgeConnect™, Aruba Orchestrator™, and Aruba Boost™. All
trademark rights reserved. All other brand or product names are trademarks or registered trademarks
of their respective companies or organizations.
https://inter.viewcentral.com/events/cust/cust_tracks.aspx?company_login_id=aruba&pid=1&track_id=43
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 2 of 211
DRAFT
Table of Contents
LAB 5: BGP........................................................................................................................ 82
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 3 of 211
DRAFT
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 4 of 211
DRAFT
eLearning Students Only: Please read this section and perform tasks outlined below.
Lab Support
Aruba EdgeConnect Training Support
• Support for issues with the lab, the lab guide and the Orchestrator and ECV virtual machines.
Examples: appliance not registered, tunnel(s) down, connections not forming, etc.
• EdgeConnect Training Support is available Monday – Friday, 9:00 AM – 5:00 PM US/Pacific.
Emails sent to the EdgeConnect training team outside of these hours will receive responses
the following business day.
• For help, send an email to sp-training@hpe.com. Be sure to include the following:
1. Lab # and Lab Title
2. Your lab Access Code
3. Page #, Task #, and Step # in the Lab
4. Brief description of the issue and screenshot if helpful.
ReadyTech Support
• Support for lab environment issues – inability to login to lab desktop, problems with
applications on the lab desktop, lab freezing, etc.
• ReadyTech support is available 24 x 7.
• For help, send an email to get-support@readytech.com. You may also contact ReadyTech
support using the Chat option in the support menu. The ReadyTech support team does not
have knowledge of the lab or lab guide and only supports the virtual environment.
Note that solutions to common lab issues may be found in Appendix A at the end of the lab guide.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 5 of 211
DRAFT
Materials
You will use this guide for all 11 labs in the course. Unless you have multiple monitors, it will be
inconvenient to use the PDF to complete the labs, therefore it may be useful to print this guide.
Printing the manual will allow you to keep the lab on your screen while you are following directions
and take notes on the printed copy.
We have found that if you only have a single screen and don’t print this manual, labs can take 30%
longer to complete, and students make 50% more errors because they are constantly switching back
and forth between the manual and the lab environment.
Lab Environment
Labs for this course are implemented in the ReadyTech hosted training environment.
IMPORTANT NOTE:
In order to access the lab, follow the process in the video "Hands on Lab - Part A" to request
a lab voucher through the purchase portal. There is a link in the video you click on to
acknowledge that you understand the process and request a lab voucher.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 6 of 211
DRAFT
1. Click the link on the video screen to go to the lab purchase portal.
2. You will be taken directly to Advanced Aruba SD-WAN Deployments v9.2 – PART A
(Catalog ID: ASD v9.2 – PART A)
4. Click Check
out. Advanced Aruba SD-WAN Deployments
v9.2 – Part A
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 7 of 211
DRAFT
7. Click Next
8. Check the
acknowledgement checkbox.
Aruba will be billed. Your cost is
$0.00 as shown
.
9. Click Place order.
be displayed.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 8 of 211
DRAFT
Check your email. Find and open the email containing your voucher information.
14. Fill in your personal information - Input the Email you used to register for this
course in the Silver Peak training portal.
a. If this is incorrect it will make it difficult for you to get support if needed.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 9 of 211
DRAFT
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 10 of 211
DRAFT
You will have one day (24 hours) of access time beginning when you click ‘Start the
lab’. If you do not start the lab within a few hours, you will not have time to complete
it. All Aruba EdgeConnect labs are designed to be completed within 4-5 hours.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 11 of 211
DRAFT
Note: Although the message says it may take up to xxx minutes to start (150 in the screen
shot below), your wait should only be 5-10 minutes as machines are deployed from a hot
standby pool.
However: If demand is high and all the machines in the pool have been deployed, you may
have to wait the full length of time for your lab to fully deploy.
Do not click “Click here to connect”. Instructions to connect to the lab environment are in
the next lab.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 12 of 211
DRAFT
Objectives
Confirm the Orchestrator and five EC-V appliances are powered on in the ESXi host.
Run the setup script to license the Orchestrator and EdgeConnect appliances.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 13 of 211
DRAFT
Another copy of the ASD Topology is located on the Landing Desktop in the ASD Lab Files
folder.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 14 of 211
DRAFT
Password: Speak-123
ReadyTech provides several viewing options from the Desktop drop-down menu such as Best fit,
Scale to fit, Detach window, and Full-screen mode. Use the one that works best for your display.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 15 of 211
DRAFT
6. On the desktop of the Landing Desktop, open Google Chrome using its icon in the
taskbar or the desktop.
b. Click Advanced.
Speak-123
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 16 of 211
DRAFT
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 17 of 211
DRAFT
If some are in the powered off state, turn them on one at a time.
Verify that each VM has a green, powered-on icon, next to it. Use the refresh button after a
couple of minutes to verify all VMs have obtained IP addresses. If any of the VMs aren’t
powered on notify your instructor (instructor-led) or contact sp-training@hpe.com (self-paced).
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 18 of 211
DRAFT
16. From the Chrome browser, open a new tab and click the Orchestrator bookmark to
log in to the Orchestrator.
a. Click Advanced.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 19 of 211
DRAFT
1) Return to VMware.
A) Select the checkbox next to its name
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 20 of 211
DRAFT
Site 1: Singapore
Site 2: Mumbai
Site 3: Santa Clara
b. Preconfigure Appliances tab lists all 5 ECVs
Task 6: Access the Landing Desktop with this Windows navigation tip
22. You can get back to the desktop quickly
by Clicking on the desktop icon next to
the magnifying glass (beside the Windows
Start button).
This toggle button will allow you to easily hide/unhide active windows to view the lab
topology.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 21 of 211
DRAFT
23. Run the ASD Setup located in the ASD Lab Files
folder on the Landing Desktop
24. Double-click ASD Setup ONCE to
run the setup script.
a. Do not try to run this twice. It
might take a few seconds to start.
b. You can only run this script
once. It is disabled after the first
run.
25. The script runs and generates a Command Prompt window.
26. When the script completes, it will display the ASD Lab 1 – Setup Log.txt file.
28. Click on the black Command Prompt window and Press any key to continue.
a. Close the Notepad file.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 22 of 211
DRAFT
For our lab, you need to do all configuration and steps in this Lab Guide on the
Student Landing Desktop.
If you haven’t noticed yet, the Windows Task Bar and application windows
are dark blue green, to help indicate you are working on the Landing Desktop
This is a visual clue that you are on the Landing Desktop and not your PC.
34. The preconfiguration process will take about 8 -15 minutes to complete.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 23 of 211
DRAFT
a. After 10+ minutes, appliances will show Finished under the Status column. Close
the Preconfigure Appliances Tab. There might be various Alarm boxes and blue
cloud icons next to each ECV in the Appliance Tree.
During the next 10+ minutes, the appliance tree will show the devices cycling through
various alarms from Cyan to Gold to Red. This is normal as the devices are establishing
tunnels.
Warning: Alarms / Errors may be seen after running the script to build the lab.
36. When Orchestration is complete, there should not be any tunnel errors.
NOTE: If you see you can ignore it and move on.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 24 of 211
DRAFT
You can safely ignore these alarms which will disappear when the deployments are
reconfigured to add labels on the LAN interfaces.
Task 8: Verify the Orchestrator can reach the Cloud Portal and is
registered
38. Open the Cloud Portal Licensing tab
from the Search Menu bar next to the
Support tab: type lice
Registered: YES
HTTPS: Connected
WebSocket: Connected
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 25 of 211
DRAFT
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 26 of 211
DRAFT
Note that after reconfiguring the LAN Labels, the gateway alarm and route down for
169.254.1.254 will disappear.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 27 of 211
DRAFT
2) T/F – EdgeConnect can exchange routes with a Cisco Router via Subnet Sharing
FALSE (OSPF and BGP = True)
3) T/F – In a subnet table, all else being equal, the route with the lowest metric is
preferred.
TRUE
6) Is it possible for a static route to only be applied to LAN-to-WAN traffic? If so, which
tag would it have?
YES – tag = “From_LAN”
7) T/F – An appliance can advertise a route that it doesn’t use to route traffic.
YES – An Advertise Only route (static route configured with no next hop)
8) How can you determine if an appliance has a route to a destination without testing it
with traffic?
Use the “Find Preferred Route” button in the Routes configuration screen.
9) T/F – You should always use Reset All in the flow table to make sure a connection
gets reset
FALSE – Reset only the flows that need it.
10) T/F – “Inbound’ traffic is coming from the LAN into the EdgeConnect
FALSE (Inbound = from WAN to LAN; Outbound = from LAN to WAN)
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 28 of 211
DRAFT
11) T/F – An appliance uses the management routing table to route traffic between two
end devices at different sites
FALSE – Management routes table used for self-generated traffic
12) How do you make sure an appliance knows all the external IP addresses that can be
used to reach the Orchestrator
Define the addresses and associated interfaces in Orchestrator Reachability
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 29 of 211
DRAFT
2) T/F: Built-in optimization policies are in the 10,000 range and will be applied to
unboosted traffic.
FALSE = Yes in that range, but not applied to unboosted traffic.
6) Is traffic matching an overlay that is boosted always treated the same? If not, why?
No, it is treated differently if it is internal (boosted through an SD-WAN tunnel) vs. external (no boost to the Internet)
7) What is the default action for traffic flowing between two different security zones?
Implicit Deny
8) T/F: A built in route policy rule with a priority of 65506 will never be matched if there is
a manual policy with a priority of 999 that matches the same traffic.
FALSE – 65506 is a Built-in policy that will always be processed before any rules even if they have a lower priority.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 30 of 211
DRAFT
3) Can more than one group of orchestrated interfaces be created with different interface
and security zone labels?
YES, multiple Loopbacks can be orchestrated with different labels and FW zones – all will come from the same pool of
addresses.
5) If you decide to use a loopback interface for management, what do you need to do for
this to work properly?
You must disable/unplug the mgmt0 interface
6) Where will a loopback interface used to manage the appliance look for routes to direct
self-originated traffic?
The data-path routes table is used when managing in-band via loopbacks
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 31 of 211
DRAFT
Objective
Learn how to create and distribute loopback addresses and use them to test
connectivity in a later lab.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 32 of 211
DRAFT
6. There will be a major alarm on ECV-2 or ECV-3 stating that gw: 169.254.1.254 is
unreachable. This is a cometic alarm that occurs in pour lab environment and can
safely be ignored
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 33 of 211
DRAFT
NOTE: By default, the 10.0.0.0/24 subnet is added for the Orchestrator to allocate
loopback addresses from. In nearly all cases you SHOULD CHANGE THIS DEFAULT
because that subnet is likely already in use, so remember to change it to a range
appropriate for your network as demonstrated in this step, if needed.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 34 of 211
DRAFT
Notice that the Orchestrator has created a loopback interface on every machine from the
configured range, and assigned a /32 IP address. Host address for the 5 appliances is
“.1” through “.5”. note that the addresses may not be assigned in sequential order on the
appliances.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 35 of 211
DRAFT
As you can see, a loopback interface named lo20000 has been created on every
appliance and an IP address has automatically been assigned from the configured range.
Your addresses might have been assigned differently than shown here. The use of the
20,000 range for address numbering is consistent with other orchestrated objects like
route polices which fall in the 20,000 range.
Note: You cannot edit the assigned address for orchestrated interfaces, although it is
possible to manually add additional loopback interfaces with manually assigned
addresses.
20. Write down the loopback address you created for each appliance.
a. They will most likely NOT be in the same order as the appliance name.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 36 of 211
DRAFT
23. Consult the table you filled in above to get the loopback addresses
of ECV-1 and ECV-5
a. Ping ECV-5’s loopback address from ECV-1’s loopback address.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 37 of 211
DRAFT
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 38 of 211
DRAFT
1) T/F – An EdgeConnect can snoop DNS lookups and cache the results for domain
based packet classification.
TRUE – First Packet IQ
a b
5) T/F – It is necessary to choose at least two primary labels to load balance breakout
traffic across multiple internet service providers?
TRUE – Cannot load balance over a single link.
7) How does an appliance determine if traffic should be eligible for Local Breakout
(assuming all links are up)?
Deciding if the destination address is Internal or External
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 39 of 211
DRAFT
2) T/F – By default in an IP SLA Ping Address List with 3 destinations, if any one of the
destinations becomes unreachable the IP SLA will be marked DOWN, and the Down
Action will be performed.
FALSE – By default the addresses are ORed so if one is reachable, it is considered up.
3) T/F – It’s possible to configure an IP SLA to monitor reachability of a critical server via
Ping, and raise or clear an alarm, without taking any other action on the appliance.
TRUE – Raising/clearing alarms are among the available actions
4) What should you use if the website you’ve chosen to monitor for reachability blocks
ICMP traffic?
HTTP/HTTPS
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 40 of 211
DRAFT
Because the 10.110.x.x network is isolated, not connected to the Internet, we use
UBU-1 to simulate access to systems on the Internet.
Objective
Learn to configure a Business Intent Overlay to break out traffic that doesn’t match
the subnets internal to your network.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 41 of 211
DRAFT
We’ll return to the flows table in a moment after generating some traffic.
b. Click Connect
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 42 of 211
DRAFT
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 43 of 211
DRAFT
Note: If you don’t see anything, use the clear button to clear any preselected filters in the
flow table, then refresh your view. Also, make sure you have all appliances highlighted in
the Appliance Tree.
a. Refer to your topology diagram to see where UBU-1 and TG-1011 exist in relation
to each other in the network.
b. From the command prompt on TG-1011, ping UBU-1 (11.1.1.11). We know
from the network topology that the ping will have to go through ECV-1.
13. Look at the flow in Orchestrator on the flows tab. Refresh if needed.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 44 of 211
DRAFT
15. Look at the outbound tunnel for ECV-1 in the flow table – it says Policy Drop.
The flow matched the Default Overlay, as we saw above, and was dropped due to overlay internet
policy. We will examine what that means below.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 45 of 211
DRAFT
You can see it’s been classified as an Internet flow, but the WAN routing is Policy drop.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 46 of 211
DRAFT
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 47 of 211
DRAFT
Remember that our ping to the device on the internet matched the DefaultOverlay, so
we’ll start by looking at that.
24. Open the Default Overlay by going to the
BIOs configuration tab: Configuration →
Overlays & Security → Business Intent Overlays
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 48 of 211
DRAFT
25. Click on the Breakout Traffic to Internet & Cloud Services section of the
DefaultOverlay
In the Preferred Policy Order column, the only policy is Backhaul Via Overlay
Internet breakout (Break Out Locally) is not implemented. It is still in the Available Policies
column.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 49 of 211
DRAFT
The flow was dropped because of this. As you can see, if backhaul fails, the policy
below it in the Preferred Policy order is Drop.
27. Scroll down in the window and click Cancel to close the DefaultOverlay configuration
panel.
We want to allow direct internet breakout from the branches for traffic matching the
RealTime, CriticalApps, and BulkApps overlays.
▪ However, for the DefaultOverlay, we want to backhaul traffic from Sites 1 and 2
destined for the Internet to our data center at Site 3 (where there is an upstream
firewall on the internet link)
▪ If the connections to the data center are down, then we want to allow Sites 1 & 2
to break out locally using their own local internet connections for DefaultOverlay
Traffic.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 50 of 211
DRAFT
30. Click on the Backhaul policy icon for the RealTime overlay. This will bring up the
Breakout configuration screen for this overlay.
31. Drag the Break Out Locally built in policy to the Preferred Policy Order column above
the Backhaul Via Overlay policy.
c. Click OK.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 51 of 211
DRAFT
33. Configure Internet Breakout for the CriticalApps overlay the same way
a. Click OK to save.
34. Configure Internet Breakout for the BulkApps overlay the same way
a. Click OK to save.
a. Drag the Break Out Locally policy and place it below the Backhaul Via Overlay
as shown below:
b. Drag INET1 from Available Interfaces into the Primary interfaces field.
Break Out Locally is below Backhaul Via Overlay, unlike the previous BIOs. This should
cause traffic that matches this overlay to be backhauled (even internet breakout traffic) as
a first choice, and only broken out locally as a second choice if there is no route or path to
backhaul it.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 52 of 211
DRAFT
Note the changes to the Breakout Traffic to Internet & Cloud Services section.
The gold color boxes surrounding the new configuration selections on the right means the
changes are not yet applied.
37. Click Save and Apply Changes to Overlays in the upper left of the Business Intent
Overlays tab.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 53 of 211
DRAFT
a. Return to the RDP window you opened in Task 1 this lab for TG-1011.
b. Use the CMD (command prompt) window to retry the ping to 11.1.1.11
To verify if Internet Breakout can take place, the appliance needs to know if the Internet is
reachable. The Global IP SLA is used to verify Internet reachability by pinging addresses on
the Internet. By default, three targets are used: isp-ipsla.silverpeak.cloud, 8.8.8.8 and
8.8.4.4. These targets may not work in your network or you may have a different target that
is cricitical to your business. You can edit the default values and enter the targets of your
choice. By default the target addresses will be “OR”ed – meaning that if any one of the
addresses is pingable, the Internet is considered reachable. You can choose the “AND”
option so that all targets in the list must reachable in order for the Internet to be considered
reachable. In the task below, you will add 11.1.1.11 to the ip address targets in the Global IP
SLA. 11.1.1.11 is the UBU-1 server which is located on the “lab Internet”.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 54 of 211
DRAFT
46. Click the edit icon next to Break Out Locally Using
These Interfaces
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 55 of 211
DRAFT
54. If you don’t see the flow, retry the ping and refresh the display. It might be necessary
to Click the Clear button also to clear any cached search filters.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 56 of 211
DRAFT
Checkpoint
Which Overlay does the flow match? ______________________________________
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 57 of 211
DRAFT
Configuration → Networking →
Tunnels → Tunnels
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 58 of 211
DRAFT
▪ ECV-1 will take the second choice and break out locally instead of backhauling,
▪ And it will use the INET1 interface (wan1) that we configured for breakout on the
DefaultOverlay
▪ As a result, the traffic will be sent to the next hop router on wan1, which knows
how to get to the destination subnet.
In the next task, we will configure a default route at Site 3 so that the traffic can be
backhauled as we intended.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 59 of 211
DRAFT
61. From the Routes tab, select only ECV-5 in the appliance tree
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 60 of 211
DRAFT
Subnet/Mask: 0.0.0.0/0
Next Hop: 10.110.116.1
This is the next hop on wan1 (INET1)
Interface: blank
Metric: 53
Not the default of 50 – we’ll
see why in a moment
Tag: ANY
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 61 of 211
DRAFT
67. The Route should appear in ECV-5 Routes table with a metric of 53.
69. Return to the Flows tab to look at the flows in the flow table
▪ from ECV-1 through a DefaultOverlay tunnel to ECV-5 (shown in the top two flows)
▪ Then ECV-5 is breaking the flow out using a DefaultOverlay passthrough tunnel
(shown in the bottom flow)
▪ The return traffic is coming back in through the passthrough tunnel on ECV-5
(bottom flow)
▪ And being returned to ECV-1 through the overlay tunnels (top two flows)
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 62 of 211
DRAFT
71. In the Appliance Tree, select ECV-5 and let’s take another look at ECV-5’s routing
table like we did above
72. Sort on Subnet/Mask to get the default routes at the top
a. Why is ECV-5’s new static default route being used instead of the local default
route?
b. Why does it have a metric of 53?
74. Click the edit icon next to ECV-4 in one of the items in the table
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 63 of 211
DRAFT
Subnet/Mask: 0.0.0.0/0
Next Hop: 10.110.116.1
This is the next hop on wan1 (INET1)
Interface: blank
Metric: 50
Default of 50 – this is better than the
metric on ECV-5
Tag: ANY
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 64 of 211
DRAFT
82. Go to the Flows table and Filter the returned flow by entering “11.1.1.11” in the
Search field.
11.1.1.11
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 65 of 211
DRAFT
▪ from ECV-1 through a DefaultOverlay tunnel to ECV-4 (shown in the top two flows)
▪ then ECV-4 is breaking the flow out using a DefaultOverlay passthrough tunnel
(shown in the bottom flow)
▪ The return traffic is coming back in through the passthrough tunnel on ECV-4
(bottom flow)
▪ And being returned to ECV-1 through the overlay tunnels (top two flows)
a. Why is this flow now going through ECV-4 instead of ECV-5?
Answer: This happens because the route via ECV-4 has a better metric..
We have just demonstrated the internet traffic that matches the DefaultOverlay is
being backhauled. You saw that an ICMP echo request (Ping) from TG-1011 to UBU-
1 was backhauled before being broken out by the devices at Site 3.
Now let’s make sure traffic that matches a different overlay is being broken out
directly on the local machine rather than backhauled first. We’ll initiate an FTP
connection from TG-1011 to UBU-1 in this task. FTP should match a different overlay.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 66 of 211
DRAFT
85. Click the FileZilla icon on the taskbar at the bottom of the
window next to the start menu
Host 11.1.1.11
Username student
Password Speak-123
87. Click Quickconnect on the right
89. At the Remote site, you should see TestFile in its remote
directory (lower right)
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 67 of 211
DRAFT
90. Click and Drag TestFile to the Local Site’s Desktop (lower left
You may need to click the Refresh button in the Flows tab to see the FTP flow.
93. Open the flow detail for the FTP flow (click the icon in the Detail column)
a. Which overlay did it use? ___________________________
b. Which tunnel did it use? ____________________________
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 68 of 211
DRAFT
You should have answered BulkApps (not the DefaultOverlay like the Ping) and the
Passthrough_INET1_BulkApps tunnel. See the section of the flow detail you should
have opened below.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 69 of 211
DRAFT
5) What metric is used by OSPF routers (and appliances) to determine the most
desirable path, and how is it determined?
Metric = Cost; cost is based on the bandwidth of the interface – but metrics can be reconfigured
8) What state in an OSPF peer adjacency indicates they have sent and received routing
information?
FULL = neighbors are converged and ready to route.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 70 of 211
DRAFT
LAB 4: OSPF
Overview
In this lab, you will configure the appliances in Mumbai to form an OSPF adjacency with
AOS-CX-2.
Estimated time: 60 minutes
The appliances will advertise subnets learned through subnet sharing between
appliances to the Aruba AOS-CX switch and become the preferred path to optimize
traffic.
If the appliances were to go down, then the routes would no longer be advertised to
the Aruba AOS-CX switch, and they would use their native L3 routing tables to
forward traffic accordingly.
Because we will have equal cost paths through both appliances in our environment,
allowing packets for a single flow to be distributed across tunnels to ECV-2 and ECV-
3, we’ll see some asymmetry in this environment.
Note: OSPF is already configured on the Mumbai LAN router, AOS-CX-2. You will only
need to add the OSPF configuration to ECV-2 and ECV-3.
Objectives
Observe some potential problems you could encounter and learn how to avoid them.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 71 of 211
DRAFT
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 72 of 211
DRAFT
Interface: lan0
Area ID: 0.0.0.0
Admin Status: UP
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 73 of 211
DRAFT
10. Let’s do the same thing for ECV-3. Click on the edit icon to configure OSPF.
Router ID to 192.168.1.6
Interface: lan0
Area ID: 0.0.0.0
Admin Status: UP
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 74 of 211
DRAFT
a. Refresh the screen if needed. It might take a minute or two for the connections to
form.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 75 of 211
DRAFT
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 76 of 211
DRAFT
▪ A state of Full indicates the connection to the neighbor is complete and they can
share link states with each other.
▪ Here you can see the status of each Neighbor. ECV-2 and ECV-3 each have two
neighbors. One Neighbor is AOS-CX-2 (RID 2.2.2.2), and the other neighbor is the
other appliance in the HA configuration.
It’s important to understand that subnet sharing does not occur over the HA
connection between ECV-2 and ECV-3. They can share routes on the LAN
side through their OSPF connection, however.
▪ EdgeConnect appliances currently only support a single area. In our lab, both
ECV-2 and ECV-3 are in the Backbone Area 0 (0.0.0.0).
▪ The EdgeConnect does not have to be in Area 0.0.0.0. It can be located at the
edge of the OSPF network in either a Standard Area or a Not-So-Stubby-Area
(NSSA).
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 77 of 211
DRAFT
We want to make sure that ECV-2 and ECV-3 are learning the 10.110.20.0 subnet
from AOS-CX-2
25. Click on the OSPF button to filter the table for only OSPF routes
Note that both ECV-2 and ECV-3 have learned the 10.110.20.0 subnet from AOS-CX-2
(10.110.107.1).
Answer: The OSPF metric comes from adding up the link costs. There are two links
between each ECV and the 10.110.20.0 network. Each appliance uses a default link cost
of 1 for their lan0 interfaces. The AOS-CX-2 also uses a link cost of 100 for the interface
that connects to the destination subnet, and these are added together by the appliances
to determine the metric for the route.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 78 of 211
DRAFT
27. Click the PuTTY icon on the taskbar of the Landing Desktop
• Password: Speak-123
30. Type show ip ospf neighbor to view the adjacencies to ECV-2 and ECV-3.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 79 of 211
DRAFT
31. Type show ip route ospf to view the routes learned from ECV-2 and ECV-3.
There six are routes being learned from ECV-2 (10.110.107.101) and from ECV-3
(10.110.107.102) – each with the default OSPF Admin Distance (110) and the default
Subnet Sharing metric (50). The host address for the loopback networks
(10.111.111.X) have been obscured as the addresses in your network will be
different.
▪ In fact, there are equal cost routes learned for the subnet from Site 1 – Singapore
(10.110.10.0//24). Wait a second… Sites 1 is not configured for OSPF. How were
these routes learned?
Answer: If you said, Subnet Sharing, then you are correct! Subnet shared routes
are redistributed into OSPF by default.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 80 of 211
DRAFT
5) What are the two BGP Peer types and what is the difference between them?
Branch – used to connect to a LAN site (iBGP or eBGP); PE = connects to Service Provider router (eBGP)
6) On the Peer Configuration, what two other items should match the configured peer
type?
Inbound & Outbound route maps
7) Which state indicates that a BGP peer has connected completely and an appliance
and can learn and advertise routes to it?
Established
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 81 of 211
DRAFT
LAB 5: BGP
Overview
In this lab, you will configure the appliances in the SANTA CLARA site to iBGP peer with the
Aruba AOS-CX-3 switch.
Estimated Time: 60 minutes
The appliances will advertise subnets learned through subnet sharing between
appliances to the router and become the preferred path for traffic coming from
TG-3511 and TG-11411.
If the appliances were to go down, then the routes would no longer be advertised to
AOS-CX-3.
In our lab, ECV-4 and ECV-5 will be iBGP peers with AOS-CX-3.
We will use iBGP configuration to illustrate a few points throughout the rest of the
course.
Currently, none of the appliances have a route to the 10.110.35.0/24 subnet on the
Site 3 LAN. AOS-CX-3 is the only one with a route to 10.110.35.0/24.
Objectives
Observe some potential problems you could encounter and learn how to avoid them.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 82 of 211
DRAFT
IP/Hostname: 10.110.35.11
Options: -I 10.110.114.102
35. Click Start and let it run… it should fail.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 83 of 211
DRAFT
43. Back at the BGP information screen, click Apply under the BGP Peers table
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 84 of 211
DRAFT
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 85 of 211
DRAFT
48. Back at the BGP information screen, click Save under the BGP Peers table
Note that refresh might not update the Peer State after configuring ECV-5. If this
occurs, close and then reopen the BGP tab to update the Peer State for ECV-5.
50. In the Peer State column, both ECV-4 and ECV-5 should have connections to AOS-
CX-3 in the Established state.
If this is not the case, recheck your configuration to verify the local ASN, peer ip
address and ASN, “…_br” route maps on peer configuration being used.
Note that after configuring BGP on ECV-5, you might not see the status change to
“Established” after clicking the refresh button several times. To see the status change
for ECV-5, click the drop-down arrow next to the Refresh button and click on “Refresh
from appliance.”
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 86 of 211
DRAFT
51. If you need to troubleshoot, you can Click the Peer Details icon in the far-right column
of the BGP tab to see information about each appliance’s connection to AOS-CX-3.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 87 of 211
DRAFT
54. Again, search for 10.110.35 to filter the only rows that match that string.
58. Use CTRL-Click to select, ECV-1, ECV-4, and ECV-5 in the appliance tree
a. Filter on 10.110.35
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 88 of 211
DRAFT
We can see in the Type column that the 10.110.35.0/24 routes were learned via IBGP
from AOS-CX-3 (10.110.114.1) because they are BGP peers with AOS-CX-3.
We now want to be advertising those routes via subnet sharing in the SD-WAN fabric
because ECV-1, ECV-2 and ECV-3 still need to learn those routes.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 89 of 211
DRAFT
73. Reference the screenshot below and look at the Type column
a. ECV-1 has two equal cost routes to 10.110.35.0/24. Each from ECV-4 & ECV-5
Hmmm… It would be useful if we could know the AS number the BGP routes
originally came from after being redistributed into Subnet Sharing.
74. On the Routes tab, Clear the Search box to view all routes
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 90 of 211
DRAFT
What do we see?
Note: it might take several minutes for the route filtering changes to take effect.
What if you still see that ECV-5 is learning the 10.110.35.0/24 network from
ECV-4 via Subnet Sharing including the AS# 65001?
If after 5 minutes you still see a second route on ECV-5 to 10.110.35.0/24 being learned
from ECV-4 with the AS 65001 in the Additional Info field, then you will need to
unconfigure and then reconfigure the ASN option boxes in ECV-4’s Routes config. See
steps below.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 91 of 211
DRAFT
Perform the following steps ONLY IF ECV-5 is still learning a route to the
10.110.35.0/24 network from ECV-4 via Subnet Sharing that includes the AS#
65001.
C. Uncheck the two ASN options that were checked in the previous steps.
Filter Routes from SD-WAN Fabric with Matching Local ASN:
Include BGP Local ASN to routes sent to SD-WAN Fabric:
D. Click Save.
H. Type 10.110.35 in the search box in the routes table. Both ECV-4 and ECV-5
should only be learning the 10.110.35.0/24 network via BGP from AOS-CX-3
(10.110.114.1).
Since ECV-4 and ECV-5 are both in AS-65001, with the route map for BGP set
to permit, it means they both advertise the subnet shared route with 65001
attached, and since they are filtering out routes with AS number 65001
attached to the route, it has the effect of keeping them from learning local BGP
routes from each other via subnet sharing (which is technically a routing loop).
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 92 of 211
DRAFT
ECV-1, ECV-2 and ECV-3 are not in AS-65001 so they can learn these routes
over the SD-WAN fabric and use them to make routing decisions.
Note: Although this was a simple fix for this problem, as we’ll see later, there is
more than one way to solve this problem. In an upcoming lab, we’ll demonstrate a
different way to achieve our goal of causing routes learned directly from a local
BGP peer to be preferred over the subnet shared ones.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 93 of 211
DRAFT
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 94 of 211
DRAFT
87. Type show bgp ipv4 unicast 0.0.0.0/0 to view the BGP sources for the default route.
AOS-CX-3 is learning default routes from ECV-4 and ECV-5, but the one from ECV-4
has the better metric (50 vs 53).
NOTE: If you are missing subnets from the other sites in AOS-CX-3’s routing table
(e.g. 10.110.10.0 and 10.110.107.0) go back and make sure you selected the
correct route maps for the BGP peer in the appliance configurations. You should
have selected the route maps ending in ‘br’ (for branch) not ‘pe’ (for a provider
edge router).
One other common error is to forget to check Next Hop Self on the BGP peer
configuration in Lab5, Task 1. This will cause learned routes not to be used by
AOS-CX-3 because a route to the original next hop is not known. The next hop
needs be ECV-4 or ECV-5.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 95 of 211
DRAFT
88. Type show ip route bgp to see which routes are actually used by AOS-CX-3
show ip route bgp doesn’t show all the routes learned by the router. It shows
only the ones being used.
In our example, although BGP was learning two default routes, only one is used – the
one from ECV-4 because it advertised the better metric (50 vs. 53).
The following step shows the command used to view all of the prefixes advertised
from each peer (ECV-4 & ECV-5) – this will show the best routes that are used in the
route table as well as redundant routes that do not appear in the BGP route table.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 96 of 211
DRAFT
89. To view all paths learned from a ECV-4 type: show bgp ipv4 unicast neighbor
10.110.114.101 paths.
90. To view all paths learned from a ECV-5 type: show bgp ipv4 unicast neighbor
10.110.114.102 paths.
ECV-4
ECV-5
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 97 of 211
DRAFT
eLearning Students Only: Please read this section and perform tasks outlined below.
IMPORTANT NOTE:
In order to access the lab, follow the process in the video "Hands on Lab - Part B" to request
a lab voucher through the purchase portal. There is a link in the video you click on to
acknowledge that you understand the process and request a lab voucher.
(6 – 11)
2. You will be taken directly to Advanced Aruba SD-WAN Deployments (ASD) v9.2 –
PART B
• (Catalog ID: ASD v9.2 – PART B)
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 98 of 211
DRAFT
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 99 of 211
DRAFT
You will have one day (24 hours) of access time beginning when you click ‘Start the
lab’. If you do not start the lab within a few hours, you will not have time to complete it.
All Aruba EdgeConnect labs are designed to be completed within 4-5 hours.
However: If demand is
high and all the
machines in the pool
have been deployed,
you may have to wait Schedule
the full length of time
for your lab to fully
deploy.
An Action in
progress message will display.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 100 of 211
DRAFT
16. The Windows login screen should open in the Administrator profile. This is called the
Landing Desktop.
• Password: Speak-123
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 101 of 211
DRAFT
Task 4: Register and Configure the Orchestrator and ECV-1, ECV-2, ECV-
3, ECV-4, and ECV-5 Using the Setup Script
Part B of this self-study lab is a continuation of Part A. You normally wouldn’t need to do the
following tasks in an existing network because all these machines would be licensed already.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 102 of 211
DRAFT
In our training environment, the ASD Setup Part B script will generate new Account Name
and Account Key. It will also add them to the Orchestrator, ECV-1, ECV-2, ECV-3, ECV-4,
and ECV-5. This will associate all the devices with the same test account in the Cloud Portal
and allow Orchestrator to manage all the devices.
Note that it will take a few minutes for the script to run and then several more minutes for the
appliances to be added to the Orchestrator and then build the tunnels – take this time to read
through the remaining tasks.
Note that you will see many alarms appear and disappear. There should be no Critical
alarms when complete. You may clear any Warning alarms that remain.
21. From the ASD Lab Files folder on the ASD – Topology & Logins.pdf
Landing Desktop, open (double-click on)
ASD Lab Files ASD Setup
the ASD Setup icon from the desktop.
Warning: Only run the ‘ASD Setup’ script ONCE in this Lab!~
If any of the steps show “FAILURE”, send email to sp-training@hpe.com. Describe the failure
and include a screenshot.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 103 of 211
DRAFT
25. If the log reports every step is a “SUCCESS” then Close the ASD_Log.txt notepad
window.
Task 5: Verify the Account Name and Account Keys on the Orchestrator
26. From Google Chrome click on the second tab, Orchestrator Login.
trainingDemoAccount1234567
123456789abcdefghijklmnopqrstuvqxyz
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 104 of 211
DRAFT
Note: If you do not see the Licensing section at the bottom, expand
your browser window or adjust your Zoom level.
Caution: If it lists anything other than “50 Mbps” proceed to Task 7, otherwise skip to Task 8
Do this Task only if your License does not show as “Active” and you see any “Failed to
apply appliance preconfiguration” alarms:
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 105 of 211
DRAFT
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 106 of 211
DRAFT
There should not be any red or gold errors next to them (you may need to refresh the browser)
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 107 of 211
DRAFT
➢ Instructional videos
➢ Course material or Lab instructions
➢ Configuration of the Orchestrator or EdgeConnect VMs.
➢ Virtual machines, in VMware ESXi, that you installed per Student as part of an exercise.
Examples:
➢ LAB HELP |ASD| Setup script fails
➢ LAB HELP |ASD| Can’t get IP Address on ECV-4
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 108 of 211
DRAFT
2) T/F – In an IP SLA Ping Address List with 3 destinations, if any one of the
destinations becomes unreachable the IP SLA will be marked DOWN, and the Down
Action will be performed.
FALSE – By default the addresses are ORed so if one is reachable, it is considered up.
3) T/F – It’s possible to configure an IP SLA to monitor reachability of a critical server via
Ping, and raise or clear an alarm, without taking any other action on the appliance.
TRUE – Raising/clearing alarms are among the available actions
4) What should you use if the website you’ve chosen to monitor for reachability blocks
ICMP traffic?
HTTP/HTTPS
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 109 of 211
DRAFT
2) T/F: A route map can be configured on the Orchestrator and pushed out to
the appliances which can use the route map.
TRUE = In a template group
5) T/F: OSPF uses inbound and outbound route maps Per Peer.
FALSE – Only BGP uses route maps on a per-peer basis
6) On a single appliance, how many active route maps can you have for:
a) Redistribution into OSPF?
b) Redistribution into Subnet Sharing?
c) Redistribution outbound into BGP?
d) Redistribution inbound from BGP?
7) T/F: Each rule in a route map must use the same Source Protocol
FALSE
8) Is the choice of set actions the same for each of the rules in every Route Map?
NO = Set actions can differ depending on the protocol
9) T/F: The default outbound BGP PE route map allows you to redistribute subnet
shared routes into BGP and then advertise them to the peer.
FALSE – Default denies subnet shared routes
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 110 of 211
DRAFT
An inbound route map controls what is potentially being distributed into the SD-WAN
fabric and being subnet shared between EdgeConnect appliances.
▪ Route maps that control redistribution into Subnet Sharing (the SD-WAN fabric)
are found on the Routes pages for each appliance.
▪ Route maps that control the distribution into other protocols are found on the
configuration page for each protocol.
BGP is slightly different from OSPF in that it contains inbound and outbound route
maps per Peer.
Note: BGP Peer type selection causes some filtering that is applied before the route
maps. An appliance can advertise subnet shared routes to a branch peer, but not to PE
peer. This is intended to reduce the risk of routing loops in the BGP routing domain.
Objectives
Configure route maps and how they affect route redistribution and metrics.
Adjust metrics for routes being redistributed by multiple appliances to cause adjacent
routers to prefer one over others.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 111 of 211
DRAFT
Task 1: Adjust the advertised metrics from Subnet Sharing into BGP
ECV-4 and ECV-5 currently both learn subnets from the other appliances and redistribute
them into BGP with unchanged metrics.
In this task, we’ll adjust the outbound advertised metrics for an appliance (ECV-4) to make
the BGP peer (AOS-CX-3) prefer the other appliance (ECV-5).
This command will show the best BGP routes in its route table. Notice the equal cost
routes for the networks from ECV-4 (10.110.114.101) and ECV-5 (10.110.114.102) –
both have a metric of 50. Because they are equal cost, routes from both ECVs are
showing up in the output.
Best practice in network design is to have your routing be deterministic and
predictable.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 112 of 211
DRAFT
You can see that the default route map for the BGP
branch peer (the map name ends in _br) permits
advertising from all sources into BGP with no changes.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 113 of 211
DRAFT
15. Click on to
close any open
route map, peer
edit and ECV-4
BGP edit
windows.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 114 of 211
DRAFT
Notice that:
▪ ECV-5 is the next-hop for most of the routes - advertising routes with a metric of
50. The only route learned directly from ECV-4 is its locally attached loopback
interface with a metric of 70.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 115 of 211
DRAFT
10.110.20.0/24 isn’t there, but a default route is present with ECV-5 as the next-hop.
Let’s try pinging TG-2011
Because they have a higher metric (70), the routes from ECV-4 will not show up in the
AOS-CX-3’s route table – only the best BGP routes will appear here. To verify the
routes are being learned from ECV-4, you can use the show bgp ipv4 unicast
neighbor 10.110.114.101 paths.
18. Ping 10.110.20.11
That doesn’t work either. What’s different about this subnet and how it was learned?
20. Click on the edit icon for ECV-4 on the BGP tab.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 116 of 211
DRAFT
21. Click the edit icon for the BGP Peer 10.110.114.1.
What is happening?
24. Click on at the top right to close the Route Map screen
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 117 of 211
DRAFT
26. Click on at the top right to close the BGP Information screen
28. Click on the edit icon for ECV-2 on the Routes tab.
We were right!
Although the inbound BGP route map allowed
OSPF learned routes, the Subnet Sharing (SD-
WAN Fabric) Route Map does not.
Let’s change that.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 118 of 211
DRAFT
35. Click on at the top right to close the SD-WAN Fabric Route Redistribution Maps
screen
36. Click on at the top right to close the Routes – ECV-2 screen
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 119 of 211
DRAFT
As you can see, we now get the 10.110.20.0/24 subnet being advertised via Subnet
Sharing. In fact there are equal cost routes because we configured both ECV-2 and
ECV-3 to redistribute them.
▪ ECV-1, ECV-4, & ECV-5 learn one each from them which is why there are two
equal cost routes.
41. Return to the PuTTY session for AOS-CX-3.
42. Type: show ip route to verify AOS-CX-3 is now learning the 10.110.20.0/24 network
from ECV-4 and ECV-5.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 120 of 211
DRAFT
Task 5: View the routes on the appliances to verify they come from
OSPF
46. Click on the OSPF button to view only OSPF originated routes.
47. Sort by the Subnet/Mask columns with 0.0.0.0/0 default routes at the top as shown.
Notice that there are subnet shared routes for all the non-directly connected LAN
subnets in our SD-WAN that originated from OSPF being learned from both ECV-2
and ECV-3.
In fact, there are duplicates indicating ECV-2 and ECV-3 are advertising the same
subnets.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 121 of 211
DRAFT
50. On the Landing Desktop, go to your RDP session to TG-1011’s desktop (If it’s not
still open, then open a new one)
53. Note the tunnels being used and then Refresh the output.
54. From the Reset Flows dropdown, select Reset All Returned
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 122 of 211
DRAFT
55. Click the button to confirm you want to Reset Returned Flows
56. Repeat the previous 3 steps 5-10 times until you see the Ping go towards two
different Outbound Tunnels (ECV-4 and ECV-5)
57. Let’s review the flows in Orchestrator. You will get something similar to this:
If you recall the route selection criteria because there are equal cost routes, one will
simply be chosen at random.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 123 of 211
DRAFT
As you can see, ECV-1 has routes via all the other four ECV’s. However, ECV-1 is
forwarding traffic only to ECV-4 and ECV-5 because, even though they all have a
metric of 50, the administrative distance of subnet shared originated routes is 10,
which is better than subnet shared, OSPF-originated routes AD of 15.
First, we will cause tags to be added to subnet shared routes redistributed to OSPF.
61. In the appliance tree, select ECV-2 and ECV-3.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 124 of 211
DRAFT
66. Let’s add an OSPF route tag of 999 to all routes that
originated from subnet sharing
a. Check the box next to OSPF Tag.
b. Type the tag number 999.
c. Click Update.
67. Verify the tag was set in the Set Actions column
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 125 of 211
DRAFT
Task 8: Filter and view tagged routes from OSPF to Subnet Sharing
72. Select Site 3 – Santa Clara in the appliance tree
You can see there are 28/60 prefixes with a Route Tag of 999.
These are OSPF originated routes that ECV-2 and ECV-3 have shared over the SD-
WAN via subnet sharing (10.110.10.0, 10.110.35.0, 10.110.114.0 and loopbacks).
77. From the Routes Table click the edit icon for ECV-2
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 126 of 211
DRAFT
80. Create rule 65500 that Denies OSPF routes with the tag 999.
Priority 65500
(so this rule is above others in the list)
Source Protocol: OSPF
OSPF Tag: (checked)
TAG value 999
Permit (unchecked)
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 127 of 211
DRAFT
83. Click on at the top right to close the SD-WAN Fabric Route Redistribution Maps
screen
84. Click on at the top right to close the Routes – ECV-2 screen
Note this does not prohibit sharing other OSPF routes learned from AOS-CX-2.
They will not have the 999 tag.
It only filters routes that originated from the SD-WAN fabric (subnet shared) that are
tagged.
Task 10: Configure Route Map to Filter on OSPF Tag 999 on ECV-3
85. Repeat the previous task for ECV-3 as well
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 128 of 211
DRAFT
Again, it might take a few minutes for the route tags to be propagated. Use the Refresh
button if needed.
Let’s review what you just accomplished in the last few tasks.
A. ECV-2 added a tag (999) to subnet shared routes that were redistributed from the
OSPF routing domain.
B. AOS-CX-2 learns the routes from ECV-2 and adds them to its routing table.
C. ECV-3 also learns the routes from ECV-2 and adds them to its routing table.
D. AOS-CX-2 advertises routes to ECV-2 and ECV-3,
E. ECV-3 adds these routes to the routing table.
F. ECV-3 DENIES routes learned from ECV-2, tagged with 999 (originally learned
from ECV-4 or ECV-5) because it is already learning them directly from AOS-CX-
2. These 999 tagged routes will not be shared to other appliances via Subnet
Sharing.
ECV-3 PERMITS routes learned from AOS-CX-2 because they are untagged and
advertises them into the SD-WAN fabric via subnet sharing.
89. View the routes on ECV-4 and ECV-5 on the Routes tab.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 129 of 211
DRAFT
If you select ECV-4 and ECV-5 in the appliance tree, you can see that the prefixes
learned for subnets at Site 3 are learned only from devices that have direct knowledge
of those subnets.
10.110.107.0: learned via SS from ECV-2 & ECV-3
10.110.35.0: learned via BGP from AOS-CX-3
10.110.20.0: learned via SS from ECV-2 & ECV-3
▪ because ECV-2 and ECV-3 are allowed to redistribute those into the
SD-WAN fabric. They were sourced from AOS-CX-2 and were not
tagged with 999.
10.110.10.0: learned via SS from ECV-1
Note: AOS-CX-2 applies a metric of 100 on the gigabit ethernet interface (1/1/2) for
OSPF routes. The ECVs use a metric of 1 for gigabit ethernet. The 10.110.20.0/24
routes reflect the AOS metric values.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 130 of 211
DRAFT
Takeaways:
Each route map rule has match criteria, including source protocol, subnet/address,
and other items that depend on the source protocol.
Each rule can Permit or Deny routes to be distributed into a destination protocol.
Each rule has its own Set Actions applied to Permitted routes which vary by
destination protocol.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 131 of 211
DRAFT
2) T/F: In a region using a BIO configured with a Regional Mesh topology, non-hub
devices will only connect to Hubs in that region.
False = devices in a region will all connect to each other via Mesh. Hub will be used to connect to other regions.
3) H2 loses its connection to H4. Can traffic be routed from devices in Region B to
Region C via Region A?
No. Transit Regions not possible.
4) All devices use the default subnet sharing metric. What is it when:
a) H1 learns routes connected to A1?
50
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 132 of 211
DRAFT
LAB 7: Regions
Overview
Regional routing when enabled, allows you to manage your SD-WAN fabric by dividing it up
into segments called regions. It involves intra-region (within a region) and inter-region
(between two regions) route distribution across the SD-WAN fabric.
Estimated time: 60 minutes
When regional routing is enabled, hubs can re-advertise routes learned from non-
hubs to other non-hubs that are also part of that region using subnet sharing. This is
quite different than the way hubs behave when regional routing is disabled. When
regional routing is disabled, hubs will not advertise routes learned via subnet sharing
to other devices.
You can provide different Business Intent Overlays for each region by enabling
regional routing and customizing BIOS per region.
Objectives
Observe how this affects propagation of routes within and between regions
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 133 of 211
DRAFT
4. Click Save
6. Click Save
8. Click Save
The three Regions you just created now appear in the Regions
list.
9. Click Close
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 134 of 211
DRAFT
ECV-2
ECV-3
ECV-4
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 135 of 211
DRAFT
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 136 of 211
DRAFT
22. Click OK
26. Click OK
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 137 of 211
DRAFT
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 138 of 211
DRAFT
40. REPEAT these steps to add ECV-2 and ECV-3 to the Mumbai region
41. REPEAT these steps to add ECV-4 and ECV-5 to the Santa_Clara region
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 139 of 211
DRAFT
Why do you suppose the ping is failing? Let’s look at the routes on ECV-5:
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 140 of 211
DRAFT
There is no longer a route to the 10.110.10.0 subnet (refresh if needed to see the update).
In fact, ECV-5 is not learning routes via subnet sharing from any other appliances
although it was previously learning routes from all of them.
Why is this?
ANSWER: All the appliances are still part of all overlays and all overlays use a mesh
topology. Let’s check on the effect on tunnel formation.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 141 of 211
DRAFT
b. ECV-4 and ECV-5 are connected via tunnels and can subnet share.
Answer: This only happens if regional routing is enabled. Until regional routing is enabled,
no appliance will re-advertise any routes it learns from another appliance. We will enable
this in the next task.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 142 of 211
DRAFT
65. Sort on the Start Time column to view most recent events at
the top.
You can see that enabling regional routing allows devices to redistribute subnets.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 143 of 211
DRAFT
69. ECV-5 isn’t learning any routes from the hub in the SANTA CLARA region (ECV-4)!
▪ Filter routes from SD-WAN Fabric with Matching Local ASN keeps the local
appliance from using the routes that it learns from other appliances if they include
the local ASN.
▪ Include BGP Local ASN to routes sent to SD-WAN Fabric causes all routes (not
just BGP originated routes) to include the local ASN (65001 for ECV-4 and ECV-5)
Therefore, ECV-5 is filtering routes it learns from the hub ECV-4 because they contain
the local ASN!
In the next task we will solve this problem and learn a way to use Admin Distance to
eliminate the BGP routing issue we solved with one of the checkboxes above.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 144 of 211
DRAFT
We were using AS numbers to do filtering before, but now we will accomplish the
same objective by adjusting Administrative Distance.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 145 of 211
DRAFT
In this task, we will make the metric for BGP routes learned via subnet sharing less
preferred than the ones learned locally from the BGP peer. This solves the problem
we had in the BGP lab where the subnet shared routes were preferred over the routes
to the same prefixes learned directly from AOS-CX-3. It also allows ECV-4 and ECV-5
to advertise BGP routes to each other. This is important because if either appliance
were to lose connectivity to AOS-CX-3 (e.g. if lan0 on either appliance went down),
then it would still be able to reach the 10.11.35.0 and 10.110.114.0 subnets via the
other appliance.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 146 of 211
DRAFT
86. Sort on the Subnet/Mask column header by networks with 10.110.10.0/24 at the top
Note that ECV-4 is now learning routes to the 10.110.35.0 prefix both from iBGP via AOS-
CX-3 and subnet sharing from ECV-5.
Question: ECV-4 is learning the routes from ECV-5 with a metric of 250 and from
AOS-CX-3 with a metric of 250. Which route will be preferred by ECV-4?
Answer: The ones from AOS-CX-3 with a metric of 250 because they have the lower
admin distance (200 vs. 201).
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 147 of 211
DRAFT
87. Let’s check the Routing Table for ECV-5. Select only ECV-5 in the appliance tree.
88. On the Routes tab, click the SD-WAN Fabric button (top center) to show only routes
learned via Subnet Sharing.
For example, the 10.110.107.0 subnet was learned by ECV-4 with a metric of 50
from ECV-2 and ECV-3, respectively. When ECV-4 advertises the 10.110.107.0
subnet to ECV-5 it advertises it with a metric of 100 (50+50). If ECV-4 was to stop
learning the route via ECV-2, but still learn it with a metric of 60 from ECV-3, then
it would advertise the route to ECV-5 with a metric of 110 (50+60).
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 148 of 211
DRAFT
Important lesson:
Remember back in BGP Lab 5, the appliances preferred the subnet shared BGP
routes to the ones learned directly from a peer.
To solve this, we just checked a couple of boxes (Filter Routes from SD-WAN Fabric
with Matching Local ASN and Include BGP Local ASN to routes sent to SD-WAN
Fabric) and got rid of the suboptimal routing we had.
That solution works well where you have two fully meshed peers connecting to all the
appliances at other sites.
However, once we introduced regional routing and those same two appliances (ECV-
4 and ECV-5) were no longer peered in the network in a full mesh – because ECV-4
is a hub and ECV-5 was not. ECV-5 now needs to learn routes from ECV-4, which the
Filter Routes from SD-WAN Fabric with Matching Local ASN option prevented.
Our original solution wasn’t wrong, it just no longer worked in our new regional
network topology. Regional routing changes the way the network operates, and you
need to be aware of the effects.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 149 of 211
DRAFT
1) T/F – If an interface leading to the internet is hardened, local traffic will need to be
backhauled to a data center through a tunnel to connect to Google.
TRUE = only SD-WAN traffic allowed through Harden (no breakout allowed)
2) T/F – No traffic of any kind is allowed into a hardened interface outside of an IPsec
tunnel.
FALSE – Cloud Portal DNS and DHCP traffic allowed
4) T/F – All the appliances in a network can simultaneously change to a new IPsec
encryption key on a predetermined schedule.
YES – Key Rotation can be scheduled
6) Is it possible to limit the address spaces from which logins to Orchestrator are
allowed?
YES – use an Allowed List
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 150 of 211
DRAFT
1) What is the default action taken for INTER zone traffic (between devices in different
zones)?
Implicit Deny
3) When all interfaces and overlays are in the default zone, will the default security
policies always permit traffic to flow between all interfaces and across the wan
through tunnels between appliances?
YES, all intra-zone traffic allowed
6) You configure a new rule in a security policy. Some time later, a problem is reported.
What can you do to test whether your new rule caused the problem without deleting
it?
Disable the rule without deleting it
7) How can you tell which rule in a security policy was matched for a flow?
Check the flow details
8) In the flow table, what’s a quick way to tell at a glance that a flow was dropped?
All dropped flows are displayed in red font
9) What’s quick way to find only those flows dropped by the firewall in the flow table?
Using the Firewall Dropped filter
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 151 of 211
DRAFT
The various tasks in this lab are designed to show how the ZBF works within the constraints of
our lab environment, not necessarily illustrate best practices for a production network.
Objectives
Configure security policies that permit certain traffic, but deny other traffic.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 152 of 211
DRAFT
Mumbai
Santa_Clara
INTERNET
6. Click Save
Note: It’s important that you add your zones in the order shown so that later security policy
configuration tasks match what you see in this student guide. Failure to do so might make
your configuration tasks more difficult to match to the directions.
7. In Orchestrator,
Open the Templates
Tab: Configuration →
Templates & Policies
→ Templates
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 153 of 211
DRAFT
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 154 of 211
DRAFT
Santa_Clara Zone
1. Deny users at Santa Clara to access external FTP sites but allow everything else.
Mumbai Zone
1. Allow access for all protocols to connect to UBU-1
2. Allow FTP access to TG-11411
Singapore Zone
1. Allow access for all protocols to connect to UBU-1
2. Allow FTP access to TG-11411
Note, the policies we create to satisfy the requirements of this lab are only one feasible
way to solve the problem. There are many ways you accomplish the same thing. The
solution we’ll implement here is not necessarily considered a set of best practices, it is just
intended to illustrate how the ZBF works and some of the ways it can be used.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 155 of 211
DRAFT
Santa_Clara Zone
15. Deny users at Santa Clara to access external FTP sites but allow everything else.
• The first requirement is to Deny users at Santa Clara to access external FTP sites but
allow anything else.
• The second requirement is to allow all other traffic.
The Edit Rules screen appears. This creates two default rules for you.
The first one (1000) matches everything and allows it.
The second rule (65535) is a default Deny that matches everything.
Any traffic that isn’t explicitly permitted by a previous rule will be dropped by
matching this one.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 156 of 211
DRAFT
19. Under the Action column, click the drop-down for rule 1000 and change it to Deny
20. Additionally, to meet the Second part of the requirement, change the action of the
default rule 65535 to Allow
Based on these rules, FTP traffic will be denied and any other application will be allowed.
21. Click OK
Remember - Firewall rules are stateful, so return traffic is also allowed.
Mumbai Zone
16. There are two rules needed to fulfill the requirements for Mumbai.
• Allow access for all protocols to connect to UBU-1
• Allow FTP access to TG-11411
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 157 of 211
DRAFT
The Edit Rules screen appears. This creates two default rules for you.
The first one (1000) matches everything and allows it.
The second rule (65535) is a default Deny that matches everything.
Any traffic that isn’t explicitly permitted by a previous rule will be dropped by
matching this one.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 158 of 211
DRAFT
d. Click Save
20. Under the Action column, verify rule 1000 is configured to Allow
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 159 of 211
DRAFT
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 160 of 211
DRAFT
Singapore Zone
Note: No changes are required for Santa Clara. It is denied FTP access to INTERNET, but
the second rule allows it to access everything including 11.1.1.11 using any other application
(as long as it is not FTP).
Mumbai and Singapore have 2 “Allow” rules To INTERNET, and Santa_Clara has 1 “Allow” rule
To INTERNET.
Mumbai and The steps for the optional exercise are located in Task 9.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 161 of 211
DRAFT
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 162 of 211
DRAFT
Host: 10.110.20.11
Username: anonymous
Password: Speak-123
b. or . . . click the Quickconnect drop-down and click on anonymous@TG-2011
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 163 of 211
DRAFT
39. Configure all LAN and WAN interfaces for their security zone as illustrated in the
Topology Diagram.
ECV-1 Singapore
ECV-2 and ECV-3 Mumbai
ECV-4 and ECV-5 Santa_Clara
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 164 of 211
DRAFT
42. Return to the Remote Desktop session on the Landing Desktop to TG-1011
47. Click on the Clear button, in case you have any filters applied
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 165 of 211
DRAFT
OPTIONAL Exercise
Task 9: Configure policies for the Mumbai zone (optional – time permitting)
This time, you will allow anything in the File_Sharing application group to access all
devices in TG-3511’s subnets.
52. Click on the intersection From Mumbai and To Santa_Clara and add a new rule.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 166 of 211
DRAFT
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 167 of 211
DRAFT
You should now see the new rule Allow: File_Sharing, 10.110.35.0/24
DefaultOverlay
Flow Details indicate the flow was dropped because of an implicit Deny for traffic From
Singapore – To Santa_Clara.
62. Open a Cifs_smb connection from TG-2011 to TG-3511
The connection should be successful.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 168 of 211
DRAFT
1) T/F: With Flow Redirection the EdgeConnect appliances tell the routers to redirect
traffic to the correct appliance.
FALSE – Appliances notify each other of what flows they own
4) T/F: Flow redirection peers should be in different subnets for high availability reasons.
NO – must be on the same subnet
7) T/F: In Current Flows, redirected flows will be marked as such on the redirecting (non-
owning) peer.
FALSE – redirected flows only show up in the appliance that owns the flow
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 169 of 211
DRAFT
Objective
Learn to enable segmentation and configure your segmented network. After that, you
will learn how segmentation has affected routing and reachability, as mentioned in the
previous lab.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 170 of 211
DRAFT
4. Click Shutdown in the confirmation box. The appliance will then shutdown.
7. Open the Apply Templates Groups tab: Configuration → TEMPLATES & POLICIES →
Apply Template Groups
8. Click on the box under the Remove column for ZBF Policies
9. Click Apply
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 171 of 211
DRAFT
11. Reconfigure the Firewall Zone for LAN and WAN interfaces back to default.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 172 of 211
DRAFT
Until you change it, all interfaces, routes etc. are part of the same segment called
Default. This will not change until you add additional segments and change the
appliance configurations.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 173 of 211
DRAFT
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 174 of 211
DRAFT
31. Select Seg_A from the list to assign the lan0 interface to Seg_A.
Note that for the WAN interfaces, the segment selection is grayed out. WAN interfaces are
hardcoded to the Default segment and cannot be changed.
37. Click the refresh button on the Routing Segmentatioin (VRF) tab.
Notice that there are now two appliances with interfaces in Seg_A.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 175 of 211
DRAFT
The number of appliances with interfaces in Default segment hasn’t changed. This is because
ECV-4 still has WAN interfaces in the Default segment.
38. If you followed the steps above, you have split ECV-1 and ECV-4 into two segments:
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 176 of 211
DRAFT
43. On the segment filter drop-down, click on Seg_A, then click Apply
Apply
Because lan0 on ECV-4 is in Seg_A, the existing BGP connection to AOS-CX-3 originally
configured in the Default segment is now down. Therefore, AOS-CX-3 no longer has a
route to the 10.110.10.0/24 subnet, so it doesn’t forward the flow to ECV-4. This is why
the flow doesn’t show up in the Flows table.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 177 of 211
DRAFT
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 178 of 211
DRAFT
Enable BGP:
Autonomous System Number 65001
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 179 of 211
DRAFT
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 180 of 211
DRAFT
After reconfiguring the BGP peer in Seg_A, the connection is again Established. Why
is AOS-CX-3 still not learning any routes from ECV-4?
Remember with Segmentation, it is not only separating physical routing, but also logical
transport domains. From the Flow Details we can see that the Source and Destination
Segments are both Seg_A.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 181 of 211
DRAFT
You can now see that ECV-1 and ECV-4 are learning their local routes from each
other in Segment Seg_A.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 182 of 211
DRAFT
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 183 of 211
DRAFT
2) T/F – It is not a problem if the minimum bandwdith percentage for all traffic classes
adds up to more than 100%.
FALSE – can result in lowest priority class being starved
3) T/F: It is possible to configure the Shaper using only Excess Weighting values (no
minimum bandwidth assigned).
TRUE – no class is guaranteed a % of bandwidth, but bandwidth is always divided up according to the weights
4) What is the most effficient method to assign QoS Shaper policies to the individual
appliances?
Configure the Shaper template and apply template group to the appliances
6) You can create custom traffic classes. What is the total number of traffic classes
allowed in the shaper configuration?
10
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 184 of 211
DRAFT
Objectives
Calculate the shaper requirements for all current traffic classes plus one more that will
be used for FTP traffic only.
Create a custom traffic class in the Shaper that will be used by FTP traffic
Enter minimum bandwidth and excess weighting shaper values for each traffic class
Create a custom BIO that matches only FTP and uses the BackupUpdate traffic class
In this exercise, you determine the minimum bandwidth and excess weighting values for each
of the traffic classes. It is assumed that only Backups and Software Updates use FTP.
BackupUpdate traffic class is used for backup and software update background jobs.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 185 of 211
DRAFT
RealTime 1 100
CriticalApps 2 100
BulkApps 3 100
Default 4 100
BackupUpdate 5 100
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 186 of 211
DRAFT
There are four traffic classes created by default – one for each of the preconfigured BIOs.
You will create a fifth traffic class that will shape traffic for the BackupUpdate BIO that will be
created next.
It is possible to configure the QoS Shaper individually on each appliance. Since all
appliances will be using the same configuration settings, you will create a template group for
the QoS Shaper and use it to push the QoS configuration to all appliances.
8. Click to highlight Shaper in Active Templates – the Shaper configuration table will
appear to the right.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 187 of 211
DRAFT
Note that the default values for the four traffic classes.
9. In row 5 click UNUSED5 in the Traffic Name column and change the name to
BackupUpdate.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 188 of 211
DRAFT
11. Next click the Excess Weighting field for the RealTime traffic class and enter the
value from the Shaper table.
12. Repeat Steps 10 – 11 for the CriticalApps, BulkApps, Deffault and BackUpdate
traffic classes.
13. BulkApps will not be rate limited. Click on the Max Bandwidth % field and change it
to 100 to match the Shaper table.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 189 of 211
DRAFT
18. Click Apply Template Groups in the bottom left of the Template Groups window.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 190 of 211
DRAFT
25. Click on SD-WAN Traffic to Internal Subnets for the BackupUpdate BIO.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 191 of 211
DRAFT
We don’t need to worry about setting the Breakout Traffic to Internet & Cloud Services
because all the backup and update traffic will be internal.
42. In the BIOs tab, click and hold the “=” just below 5 in the Priority column and drag
BackupUpdate up to priority 4. If left at priority 5, nothing would ever match as
everything matches the DefaultOverlay.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 192 of 211
DRAFT
Currently priority 1040 in the BulkApps Overlay ACL matches on FTP. Because the BulkApps
BIO has a lower priority than the BackupUpdate BIO none of the FTP traffic will reach the
BackupUpdate BIO. To allow the FTP traffic to be shaped using the traffic class in the
BackupUpdate BIO you must delete the FTP rule from the BulkApps BIO.
43. Remove FTP from the Overlay ACL in the BulkApps BIO.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 193 of 211
DRAFT
52. Right-click ECV-1 in the Appliance Tree and click Appliance Manager
The settings should match what was used when the Shaper Template was configured.
In this lab the basics of creating a new traffic class, configuring shaper values and
applying the shaper policies to all appliances using a Template Group are covered.
Because high volumes of traffic cannot be generated in this lab, we are unable to view the
effects of the QoS configuration.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 194 of 211
DRAFT
3) T/F: After applying the Advanced Security license to an appliance, it is ready to start
inspecting traffic.
False – You must apply the IDS/IPS mode for the appliance
4) T/F: Like Boost, the Advanced Security license is optional and is applied in the same
manner as Boost licensing.
FALSE - Advanced Security licenses are enabled per appliance, not per BIO.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 195 of 211
DRAFT
Objectives
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 196 of 211
DRAFT
6. With the All button selected, verify that the Advanced Security license has been
configured and granted for ECV-1.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 197 of 211
DRAFT
The status will remain “Not Enabled” until the security policies are configured for
inspection.
Adding inspection rules to the ZBF Policies is not covered in this lab.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 198 of 211
DRAFT
_______________________
3. You will need this code for the next two days
5. On the Login page enter the access code your instructor gave you.
6. Click Login
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 199 of 211
DRAFT
2. The following directions will help you match the lab environment to your keyboard.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 200 of 211
DRAFT
6. Note, Only if you can’t type ‘keyboard settings in the search box, do the following (if
you were able to search for keyboard settings, skip to the next step).
8. Mouse over the small tab that appears at the top of the page. It will expand. Under
‘Keys’, select ‘Open onscreen keyboard’.
9. Click Start again if needed and then drag the onscreen keyboard over the search
menu. Click on the keys to input ‘keyboard settings’ as described above.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 201 of 211
DRAFT
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 202 of 211
DRAFT
18. Click OK
19. Click OK
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 203 of 211
DRAFT
21. In the bottom right of the Landing Desktop in your browser window, Click on EN
22. Click to select your new language (in this case French)
With some keyboards, you might need to enter the Fn (Function) key and the F1 key
together.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 204 of 211
DRAFT
30. After the EdgeConnect is done rebooting, note the IP address at the top of the console
window.
You need to wait about 2 minutes before the EdgeConnect accepts HTTPS connection
attempts.
31. Open a Google Chrome tab, enter the https:// followed by the IP address from step 7,
and then press Enter.
32. Click through any Google Chrome security warnings that might appear.
b. Password: admin
34. Click Login to open the Initial Config Wizard. If the Initial Config Wizard doesn’t
automatically appear after you log in, click Configuration > [System & Networking] >
Intial Config Wizard on the appliance’s menu to open it.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 205 of 211
DRAFT
2. Click the checkbox next to the Lab name and and then click OK.
It will take approximately 15 minutes for the lab to reboot and become accessible again.
When rebooting, the status icon will change to a red downward pointing arrow. After a few
minutes, the status will change to up and green. You will want to wait 3-5 more minutes after
the status changes to up before attempting to access the lab again while the network
services are starting on the landing desktop. If you attempt to log in but end up back on the
main portal window, then the landing desktop is not yet ready. Try again in a few minutes.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 206 of 211
DRAFT
24
/7
available 24 hours, 7 days a
(instructions above) week. Questions are usually
responded to within a couple
of hours.
Lab never comes up after a few hours.
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 207 of 211
DRAFT
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 208 of 211
INSTRUCTOR VERSION Template Version 2022.01 r1.4
ECV-1, ECV-2, ECV-3, ECV-4, ECV-5 admin Speak-123 The default ID/PW is admin/admin
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate Page 209 of 211
INSTRUCTOR VERSION
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate page 210 of 211
INSTRUCTOR VERSION
ASD 9.2. Student Lab Guide v1.8 Do Not Replicate page 211 of 211