Kaspersky SD-WAN
2.3
English

Contents

Managing SD-WAN interfaces

SD-WAN interfaces are logical interfaces on top of the network interfaces of the CPE device and OpenFlow ports of the virtual switch, which form an additional level of abstraction. Each SD-WAN interface is mapped to a network interface by the network interface name and an OpenFlow port by the OpenFlow port number. The following types of SD-WAN interfaces are possible:

  • SD-WAN interfaces of the LAN type are SD-WAN interfaces created by default and mapped to network interfaces that are connected to the LAN. You cannot delete and create an SD-WAN interface of the LAN type, but you can edit it to specify the maximum speed and configure traffic queues.
  • SD-WAN interfaces of the WAN type are SD-WAN interfaces mapped to network interfaces that are connected to the WAN.
  • An SD-WAN interface of the management type is an SD-WAN interface created by default and mapped to a network interface that is used by the Zabbix monitoring system for passive monitoring of the CPE device, as well as by the orchestrator for connecting to the CPE device over SSH. You cannot delete and create an SD-WAN interface of the management type.

You can view the table of SD-WAN interfaces in a CPE template and on a CPE device:

  • To view the table of SD-WAN interfaces in a CPE template, go to the SD-WAN → CPE templates menu section, click the CPE template, and select the SD-WAN → Interfaces tab.
  • To view the table of SD-WAN interfaces on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, and select the SD-WAN → Interfaces tab.

Information about SD-WAN interfaces is displayed in the following columns of the table:

  • Type is the type of the SD-WAN interface:
    • WAN
    • LAN
    • Management
  • Inherited indicates whether the SD-WAN interface is inherited from a CPE template:
    • Yes
    • No

    This column is displayed only on the CPE device.

  • Port is the OpenFlow port number.
  • Alias is the name of the network interface.
  • Maximum rate is the maximum speed of the SD-WAN interface in Mbps.

Additional information about WAN checks to which SD-WAN interfaces of the WAN type are connected is displayed in the following columns of the table:

  • IP for tracking are the IP addresses of hosts for checking WAN availability.
  • Reliability is the minimum number of successful checks that makes the WAN available.
  • Count is the number of requests to hosts within one WAN check.
  • Timeout is time to wait for a response from hosts, in milliseconds.
  • Interval (sec.) is the time interval in seconds for the WAN check.
  • Down is the number of unsuccessful checks that makes the WAN unavailable.
  • Up is the number of successful checks that makes the WAN available.
  • Speed monitoring indicates whether the speed of the SD-WAN interface of the WAN type is being measured:
    • Yes
    • No

In this section

About sending information about SD-WAN interfaces of the WAN type to the controller

Packet fragmentation

Traffic queues on SD-WAN interfaces

Creating an SD-WAN interface of the WAN type

Editing an SD-WAN interface

Disabling or enabling an SD-WAN interface

Removing an SD-WAN interface of the WAN type
Page top
[Topic 256480]

About sending information about SD-WAN interfaces of the WAN type to the controller

When creating or editing SD-WAN interfaces of the WAN type, you can specify what information must be sent to the controller.

Sending public IP addresses and UDP ports of SD-WAN interfaces to the controller

To establish links between CPE devices, the controller must obtain information about the public IP addresses of SD-WAN interfaces of the WAN type. By default, the controller obtains this information through a management session. In that case, the source IP address is used as the public IP address.

You can manually specify the IP addresses and UDP ports of SD-WAN interface of the WAN type. In the figure below, CPE 1 and the controller are on the same local network and gain access to the Internet through the same firewall that does IP address forwarding.

When establishing a session between the SD-WAN interface of the WAN type of CPE 1 and the public IP address of the controller (1.1.1.2), if the firewall cannot be configured in a way that would involve the Controller forwarding the private IP address to the public IP address (10.0.1.1 > 1.1.1.1), the Controller is unable to obtain information about the public IP address of the SD-WAN interface of the WAN type and provide it to other CPE devices in the topology (CPE 2).

As a result, a link cannot be created between CPE 1 and CPE 2; CPE 1 becomes isolated and cannot be added to the common

control plane
.

In the diagram, CPE 1 and the controller are connected to CPE 2 through a firewall and the Internet, and NAT is used.

CPE 1 and the controller are behind NAT and are connected to CPE 2

Sending IP addresses of SD-WAN interfaces of the WAN type located in an isolated network to the controller

SD-WAN interfaces of the WAN type may be on an isolated network without the possibility of establishing a management session with the controller, but they can be used to establish links. In this case, the controller cannot obtain information about the IP addresses of isolated SD-WAN interfaces of the WAN type and use it to establish links between CPE devices.

In the figure below, CPE 1 and CPE 2 have two SD-WAN interface of the WAN type each, but they can establish a management session with the controller only through wan0 because wan1 is on an isolated network (MPLS) that does not have access to the controller. However, both wan1 interfaces can be used to establish links.

If the link used to interact with the controller fails for one of the CPE devices, all other links also cannot be used, even if they remain operational, because the controller excludes the device from the topology.

The IP addresses of isolated SD-WAN interfaces of the WAN type are sent to the controller through the orchestrator.

CPE 1 and CPE 2 are connected with each other through MPLS and with the controller through the Internet.

CPE 1 and CPE 2 are connected with each other through MPLS and with the controller through the Internet.

Page top
[Topic 261023]

Package fragmentation

Kaspersky SD-WAN checks whether fragmentation of traffic packets is supported on CPE devices. A packet fragmentation test is started automatically. When each CPE device is enabled, it sends two ICMP requests to the IP addresses that you specified when creating or editing SD-WAN interfaces of the WAN type.

The ICMP requests have a packet size of 1600 bytes. If at least one of the ICMP requests receives a response, a conclusion is made that the CPE device supports packet fragmentation. You can view the fragmentation test result in the Fragmentation column of the CPE device table or the link table.

Page top
[Topic 240672]

Traffic queues on SD-WAN interfaces

A maximum of 8 traffic queues can be used on SD-WAN interfaces. For each traffic queue, you must specify the minimum and maximum bandwidth as a percentage of the total bandwidth set for the SD-WAN interface. The sum total of all minimum bandwidth values specified for traffic queues may not exceed 100%.

The traffic queues are strict priority and unreserved bandwidth is first offered to traffic from the higher-priority queue. Each traffic queue is guaranteed certain minimum bandwidth in accordance with its specified minimum bandwidth value. An upper limit on the maximum bandwidth for higher-priority queues is necessary to allow traffic from lower-priority traffic queues to still be transmitted.

You can configure traffic queues when creating an SD-WAN interface of the WAN type or editing an SD-WAN interface.

Service providers can use different quality of service policies to mark traffic queues in their networks and meet SLA requirements for the passage of client traffic. Therefore, when simultaneously connecting to the networks of different service providers, CPE devices can relabel traffic of different queues for each SD-WAN interface of the WAN type. To configure relabeling, you must change the type of service (ToS) when configuring traffic queues on an SD-WAN interface.

You can only change the ToS values of external headers of traffic packets originating from SD-WAN interfaces of the WAN type. ToS values of internal traffic packet headers cannot be edited.

Page top
[Topic 276394]

Creating an SD-WAN interface of the WAN type

You can create an SD-WAN interface of the WAN type in a CPE template or on a CPE device. An SD-WAN interface of the WAN type created in a CPE template is automatically created on all CPE devices that are using this CPE template.

To create an SD-WAN interface of the WAN type:

  1. Create an SD-WAN interface of the WAN type in one of the following ways:
    • If you want to create an SD-WAN interface of the WAN type in a CPE template, go to the SD-WAN → CPE templates menu section, click the CPE template, and select the SD-WAN → Interfaces tab.
    • If you want to create an SD-WAN interface of the WAN type on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, and select the SD-WAN → Interfaces tab.

    A table of SD-WAN interfaces is displayed.

  2. Click + SD-WAN interface.
  3. This opens a window; in that window, in the OpenFlow port field, enter the number of the OpenFlow port that you are creating on the virtual switch.
  4. In the Interface (alias) field, enter the name of the created network interface, which the SD-WAN interface of the WAN type is mapped to.
  5. In the Maximum rate field, enter the maximum speed of the SD-WAN interface of the WAN type in Mbps. Range of values: 1 to 100,000. Default value: 1000.
  6. Configure the availability check of the WAN to which the SD-WAN interface of the WAN type is connected:
    1. Specify the host for checking WAN availability. To do so, under IP for tracking, enter the IP address of the host and click + Add.

      The host is specified and displayed under IP for tracking. You can specify multiple hosts or delete a host. To delete a host, click the delete icon cross_icon_3 next to it.

    2. In the IP for fragmentation check field, enter the IPv4 address of the host up to which fragmentation support is checked. Default value: 1.1.1.1.
    3. In the Reliability field, enter the minimum number of successful checks that makes the WAN available. Default value: 1.

      Make sure that the number of hosts does not exceed the number of IP addresses specified under IP for tracking. Otherwise, the WAN will always be considered unavailable.

    4. In the Interval (sec.) field, enter the time interval in seconds for the WAN check. Range of values: 1 to 600. Default value: 2.
    5. In the Count field, enter the number of requests to hosts within one WAN check. Range of values: 1 to 600. Default value: 2.
    6. In the Timeout field, enter the time to wait for a response from hosts, in milliseconds. Range of values: 1 to 100,000. Default value: 2000.
    7. In the Down field, enter the number of unsuccessful checks that makes the WAN unavailable. Range of values: 1 to 600. Default value: 3.
    8. In the Up field, enter the number of successful checks that makes the WAN available. Range of values: 1 to 600. Default value: 2.
    9. In the Speed monitoring drop-down list, select whether the speed of the SD-WAN interface of the WAN type is being measured:
      • Yes
      • No Default value.
  7. If you want to configure traffic queues on the SD-WAN interface of the WAN type:
    1. Select the QoS tab.

      A table of traffic queues is displayed.

    2. In the Remap ToS column, select the Type of Service value of external headers of traffic packets for each queue.
    3. In the Minimum rate (%) column, specify the minimum traffic bandwidth for the queue as a percentage of the maximum speed of the SD-WAN interface of the WAN type. The sum total in a column may not exceed 100.
    4. In the Maximum rate (%) column, specify the maximum traffic bandwidth for the queue as a percentage of the maximum speed of the SD-WAN interface of the WAN type. This setting is used to prevent traffic of high-priority queues from indefinitely preempting traffic of low-priority queues.

    The maximum speed of the SD-WAN interface of the WAN type is specified at step 5 of these instructions.

  8. If you want to configure the sending of information about the SD-WAN interface of the WAN type to the controller:
    1. Select the NAT and disjoint WAN underlay tab.
    2. In the State drop-down list, select one of the following values:
      • Disabled if you do not want information about the SD-WAN interface of the WAN type to be sent to the controller. Default value.
      • NAT/PAT if the SD-WAN interface of the WAN type is behind NAT or PAT and needs to be assigned a public IP address and UDP port number, which must be sent to the controller.
      • Disjoint WAN underlay means the SD-WAN interface of the WAN type is connected to an isolated network, and the IP address of the SD-WAN interface of the WAN type must be passed to the controller.
    3. If in the State drop-down list, you selected NAT/PAT, follow these steps:
      1. In the Real IP field, enter the public IPv4 address of the SD-WAN interface of the WAN type.
      2. In the Real GENEVE UDP port field, enter the UDP port number of the SD-WAN interface of the WAN type. Range of values: 1 to 65,535.
    4. If in the State drop-down list you selected Disjoint WAN underlay, enter the IPv4 address of the SD-WAN interface of the WAN type in the IP address field.
  9. If SD-WAN interfaces of the WAN type of the CPE device are connected to different networks, for example, the internet and a private MPLS network, you can change the IP addresses and TCP port numbers of controller nodes on an individual SD-WAN interface of the WAN type. To do so:
    1. Select the Controllers tab.
    2. Select the Rewrite controllers' IP/port check box. This check box is cleared by default.
    3. In the Number of controllers drop-down list, select the number of controller nodes.

      You need to specify the number of controller nodes that you deployed when you deployed the SD-WAN instance. Otherwise, an error occurs and the settings remain unchanged.

    4. In the IP address field, enter the IPv4 address of the controller node. The number of fields corresponds to the value that you selected in the Number of controllers drop-down list.
    5. In the Port field, enter the base port number of the controller node. Range of values: 1 to 65,535. Default value: 6653. The number of fields corresponds to the value that you selected in the Number of controllers drop-down list.

      Along with the base port of the controller node, ports with the next three consecutive numbers are automatically specified. For example, if you enter the 6653 as the base port number, ports 6654, 6655, and 6656 are automatically specified.

    For the changes to take effect, you need to restart the CPE device after changing the IP addresses and TCP port numbers of controller nodes on the SD-WAN interface of the WAN type.

    You can change the IP addresses and TCP port numbers of the controller nodes while configuring the controller nodes of an SD-WAN instance. This automatically changes the IP addresses and TCP port numbers of controller nodes on all CPE devices that are added to the SD-WAN instance. The IP addresses and TCP port numbers specified on an individual SD-WAN interface of the WAN type take precedence over the IP addresses and TCP port numbers specified when configuring the controller nodes of the SD-WAN instance.

  10. Click Create.

    The SD-WAN interface of the WAN type is created and displayed in the table.

  11. In the upper part of the settings area, click Save to save the settings of the CPE template or CPE device.
Page top
[Topic 243250]

Editing an SD-WAN interface

You can edit an SD-WAN interface in a CPE template or on a CPE device. You cannot edit the name of an SD-WAN interface. When editing an SD-WAN interface of the LAN type, you can only configure the maximum speed and traffic queues. An SD-WAN interface edited in the CPE template is automatically modified on all CPE devices that use this CPE template.

To edit an SD-WAN interface:

  1. Edit an SD-WAN interface in one of the following ways:
    • If you want to edit an SD-WAN interface in a CPE template, go to the SD-WAN → CPE templates menu section, click the CPE template, and select the SD-WAN → Interfaces tab.
    • If you want to edit an SD-WAN interface on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, and select the SD-WAN → Interfaces tab. If you want to edit an SD-WAN interface inherited from the CPE template, select the Override check box next to that SD-WAN interface.

    A table of SD-WAN interfaces is displayed.

  2. Click Edit next to the SD-WAN interface that you want to edit.
  3. This opens a window; in that window, if necessary, edit the SD-WAN interface settings. For a description of the settings, see the instructions for creating an interface of the WAN type.
  4. Click Save.

    The SD-WAN interface is modified and updated in the table.

  5. In the upper part of the settings area, click Save to save the settings of the CPE template or CPE device.
Page top
[Topic 256456]

Disabling or enabling an SD-WAN interface

You can disable or enable an SD-WAN interface in a CPE template or on a CPE device. An SD-WAN interface enabled or disabled in a CPE template is automatically enabled or disabled on all CPE devices that use this CPE template.

To disable or enable an SD-WAN interface:

  1. Disable or enable an SD-WAN interface in one of the following ways:
    • If you want to enable or disable an SD-WAN interface in a CPE template, go to the SD-WAN → CPE templates menu section, click the CPE template, and select the SD-WAN → Interfaces tab.
    • If you want to enable or disable an SD-WAN interface on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, and select the SD-WAN → Interfaces tab. If you want to disable or enable an SD-WAN interface inherited from the CPE template, select the Override check box next to that SD-WAN interface.

    A table of SD-WAN interfaces is displayed.

  2. Click Disable or Enable next to the SD-WAN interface that you want to disable or enable.

    The SD-WAN interface is disabled or enabled and updated in the table.

  3. In the upper part of the settings area, click Save to save the settings of the CPE template or CPE device.
Page top
[Topic 256458]

Deleting an SD-WAN interface of the WAN type

You can delete an SD-WAN interface of the WAN type in a CPE template or on a CPE device. An SD-WAN interface of the WAN type deleted in a CPE template is automatically deleted on all CPE devices that are using this CPE template. You cannot delete an SD-WAN interface inherited from the CPE template on a CPE device, or delete an SD-WAN interface of the LAN type.

Deleted SD-WAN interfaces of the WAN type cannot be restored.

To delete an SD-WAN interface of the WAN type:

  1. Delete an SD-WAN interface of the WAN type in one of the following ways:
    • If you want to delete an SD-WAN interface of the WAN type in a CPE template, go to the SD-WAN → CPE templates menu section, click the CPE template, and select the SD-WAN → Interfaces tab.
    • If you want to delete an SD-WAN interface of the WAN type on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, and select the SD-WAN → Interfaces tab.

    A table of SD-WAN interfaces is displayed.

  2. Click Delete next to the SD-WAN interface of the WAN type that you want to delete.
  3. In the confirmation window, click Delete.

    The SD-WAN interface of the WAN type is deleted and is no longer displayed in the table.

  4. In the upper part of the settings area, click Save to save the settings of the CPE template or CPE device.
Page top
[Topic 256457]