Kaspersky SD-WAN
- About Kaspersky SD-WAN
- Architecture of the solution
- Redundancy and fault tolerance
- Ensuring security
- User interface of the solution
- Authentication in Kaspersky SD-WAN
- Setting and resetting the default page
- Switching between light and dark theme
- Limiting the duration of a user session when idle
- Viewing active user sessions
- Configuring the Docker container log verbosity
- Navigating to the orchestrator API
- Changing the language of the orchestrator web interface
- Licensing of Kaspersky SD-WAN
- Managing Kaspersky SD-WAN domains
- Managing data centers
- Managing VIMs
- Managing subnets
- Viewing logs
- Service Requests
- Managing network services
- User roles and actions with network services
- Uploading a VNF or PNF package to the orchestrator
- Network service template
- Creating a network service
- Configuring network service topology components
- Editing a network service topology
- Deploying a network service
- Checking the consistency of a network service
- Redeploying a network service and its components
- Auto-Healing
- Managing VNFs and VDUs in a network service
- Viewing the network service log
- Deleting a network service
- Managing confirmation requests
- Managing users
- Creating an LDAP connection
- Editing an LDAP connection
- Changing the password of an LDAP connection
- Deleting an LDAP connection
- Creating access permissions
- Editing access permissions
- Cloning access permissions
- Removing an access permission
- Creating a user
- Editing a user
- Changing user password
- Activating or blocking a user
- Deleting a user
- Creating a user group
- Editing a user group
- Deleting a user group
- Managing tenants
- Creating a tenant
- Assigning a VIM to a tenant
- Assigning topology components to a tenant
- Assigning compute resources to a tenant
- Assigning a user to a tenant
- Assigning a user group to a tenant
- Authenticating as an administrator in the tenant's orchestrator web interface
- Editing a tenant
- Deleting a tenant
- Managing SD-WAN instances
- Creating an SD-WAN instance template
- Setting the default SD-WAN instance template
- Deleting an SD-WAN instance template
- Adding a tenant to an SD-WAN instance template
- Removing a tenant from an SD-WAN instance template
- Configuring high availability
- Choosing a transport strategy
- Adding a tenant to an SD-WAN instance
- Removing a tenant from an SD-WAN instance
- Viewing devices assigned to an SD-WAN Instance
- Deleting an SD-WAN instance
- Creating a pool of SD-WAN instances
- Adding an SD-WAN instance to a pool
- Removing an SD-WAN instance from a pool
- Deleting a pool of SD-WAN instances
- Managing CPE devices
- Composition of CPE devices
- Composition of uCPE devices
- SD-WAN managementTunnel management transport service
- Automatic configuration of CPE (ZTP) devices
- CPE device statuses and states
- Ensuring connectivity of CPE devices with SD-WAN Controllers
- Automatically updating the link cost based on maximum speed of the interface
- CPE template
- Creating a CPE device
- Specifying the address of a CPE device
- Registering a CPE device
- Activating or deactivating a CPE device
- Using a web address to activate a CPE device
- Connecting to the CPE device console
- Deleting a CPE device
- Viewing the password of a CPE device
- Restarting a CPE device
- Shutting down a CPE device
- Exporting settings and SD-WAN interfaces from a CPE device
- Exporting network interfaces from a CPE device
- Searching for CPE devices
- Automatic removal and deactivation of a CPE device
- Two-factor authentication of a CPE device
- Orchestrator certificates
- Tags
- Out-of-band management of CPE devices
- Managing CPE devices in SD-WAN controller menu
- Viewing the OpenFlow table of a CPE device
- Viewing statistics of OpenFlow interfaces
- Viewing statistics of queues on LAN interfaces
- Navigating to service interfaces on a CPE device
- Viewing the specifications of a CPE device
- Viewing the usage of a CPE device
- Changing the status of a CPE device in the SD-WAN Controller
- Changing the MAC address of a CPE device
- Terminating the TCP session between a CPE device and the SD-WAN Controller
- Scripts
- Network interfaces
- Configuring the connection of a CPE device to the SD-WAN network
- SD-WAN interfaces
- OpenFlow interfaces
- Service interfaces and UNIs
- Creating a service interface
- Creating an ACL interface
- Viewing the usage of a service interface and an ACL interface
- Deleting a service interface and an ACL interface
- Creating a UNI template
- Creating a UNI in a template
- Editing a UNI in a template
- Deleting a UNI in a template
- Deleting a UNI template
- Creating a UNI
- Editing a UNI
- Deleting a UNI
- Filtering routes
- The BGP dynamic routing protocol
- The OSPF dynamic routing protocol
- The BFD protocol
- Creating or deleting a static IPv4 route
- The VRRP protocol
- Viewing the settings of the CPE device connection to the service provider network
- Configuring the connection of a CPE device to a Syslog server
- Configuring the connection of a CPE device to an NTP server
- Firmware
- Monitoring solution components
- Tunnels, segments, and paths
- Configuring topology
- Quality of Service (QoS)
- Transport services
- Point-to-Point (P2P) transport service
- Point-to-Multipoint (P2M) transport service
- Multipoint-to-Multipoint (M2M) transport service
- Adding a transport service in a CPE template
- Editing a transport service in a CPE template
- Deleting a transport service from a CPE template
- Scenario: Directing application traffic to a transport service
- Traffic mirroring
- Task scheduler
- Configuring the SD-WAN Controller
- Editing the SD-WAN Controller
- Restarting the SD-WAN Controller
- Downloading a backup SD-WAN Controller configuration file
- Restoring the SD-WAN Controller
- Deleting the SD-WAN Controller
- SD-WAN Controller properties
- Viewing information about SD-WAN Controller nodes
- Viewing the topology of a deployed SD-WAN instance
- Contacting Technical Support
- Appendices
- Glossary
- Control plane
- Customer Premise Equipment (CPE)
- Data plane
- DSCP values
- Graceful restart
- Orchestrator
- Physical Network Function (PNF)
- PNF package
- SD-WAN Controller
- SD-WAN Gateway
- Software-Defined Networking (SDN)
- Software-Defined Wide Area Network (SD-WAN)
- Tenant
- Universal CPE (uCPE)
- Virtual Infrastructure Manager (VIM)
- Virtual Network Function (VNF)
- Virtual Network Function Manager (VNFM)
- VNF Package
- Information about third-party code
- Trademark notices
Managing VIMs > Configuring the VIM
Configuring the VIM
Configuring the VIM
Deploying a VIM in the data center implies centralized management of the VNF lifecycle, while a VIM deployed on a uCPE device allows delivering VNFs to remote locations and managing these VNFs locally.
You can configure the VIM in the data center or in the
uCPE
template. When you edit VIM settings in the uCPE template, the settings are applied to all devices that use that template. To configure a VIM, use the following instructions:
CPEs with additional support for Virtual Network Function deployment. Note that the device must have sufficient hardware resources to avoid involving the data center or the cloud when providing the VNF.
- Configuring a VIM in a data center.
To configure a VIM in a data center:
- In the menu, go to the Infrastructure section.
The SD-WAN infrastructure management page is displayed. By default, the Network resources tab is selected, which displays the table of SD-WAN Controllers.
- In the upper part of the page, click + VIM.
- This opens a window; in that window, in the Domain and Data center drop-down lists, select the domain and data center where the VIM is deployed.
- In the Name field, enter the name of the VIM.
- In the IP field, enter the IP address or domain name for connecting the orchestrator to the VIM.
- In the Port field, enter the port number for connecting the orchestrator to the VIM identification service. The default setting is
5,000. - In the Protocol drop-down list, select the protocol for connecting the orchestrator to the VIM:
- http (selected by default)
- https
- In the Login and Password fields, enter the name and password of an OpenStack account with administrator privileges to authenticate the orchestrator in the OpenStack cloud platform. If authentication is successful, the orchestrator gains access to managing the virtual infrastructure that is available to the administrator.
- If necessary, change the advanced orchestrator authentication settings in the OpenStack cloud platform:
- In the Administrator project field, enter the name of the administrator project for orchestrator authentication in this project.
- In the Domain field, enter the OpenStack domain name for orchestrator authentication in this domain.
- In the Behind NAT drop-down list, select whether the VIM is behind NAT (Network Address Translation):
- Enabled to indicate that the VIM is behind NAT and network address translation happens when it interacts with the SD-WAN instance.
- Disabled to indicate that the VIM is not behind NAT. This is the default.
- If necessary, specify the overcommitment ratios for physical resources:
- In the CPU overcommitment field, enter the CPU core overcommitment ratio. The default setting is
1. - In the RAM overcommitment field, enter the RAM overcommitment ratio. The default setting is
1. - In the Disk overcommitment field, enter the disk space overcommitment ratio. The default setting is
1.
Overcommitment ratios let you provision virtual machines with more virtual resources than physically present. This is possible because, as a rule, virtual machines do not simultaneously use all available physical resources to the maximum. For example, if you specify a disk space overcommitment factor of
3, the available virtual disk space can be three times as large as the disk space physically available on the host.When configuring overcommitment, consider how the capabilities of your hardware relate to the requirements of the virtual machines. If you specify a high overcommitment ratio for physical resources and virtual machines happen to use them up, this may lead to the network lagging and/or parts of network becoming completely unavailable.
- In the CPU overcommitment field, enter the CPU core overcommitment ratio. The default setting is
- If necessary, in the Parallelism field, enter the maximum number of simultaneous operations between the orchestrator and the VIM. The default setting is
1. This setting lets you reduce the overall processing time for operations, but creates an additional load on the virtual infrastructure.We recommend not changing the default value unless the overall operation processing speed is critical for you.
- In the SDN cluster drop-down list, select the SDN cluster to which OpenStack is connected, or None if OpenStack is not connected to an SDN cluster.
- In the Maximum number of VLANs field, enter the maximum number of VLANs that you plan to use on the VIM. This setting lets the orchestrator keep track of the number of segments available for use. Range of values: 0 to 4,094.
- If the VIM supports SR-IOV, enter the physnet name in the SR-IOV physical network field. The orchestrator uses the SR-IOV physical network name to connect virtual machines with the SR-IOV interface type.
- If you are using a network with the VLAN segmentation type for management, in the VLAN physical network field, enter the VLAN ID.
- If you selected an SDN cluster in the SDN cluster drop-down list, configure the connection to that cluster:
- If you need to map the logical networks of the SD-WAN instance to a physical network, enter the physnet name in the OpenStack physical network field.
- In the Interface group drop-down list, select the port group through which all OpenStack nodes are connected to the SDN cluster.
- In the Control group drop-down list, select the port group through which the OpenStack control nodes are connected to the SDN cluster.
- If necessary, in the Compute group drop-down list, select the port group through which OpenStack compute nodes are connected to the SDN cluster.
- If in the SDN cluster drop-down list, you selected None, configure the network:
- If you need to map the flat networks of the SD-WAN instance to a physical network, enter the physnet name in the Flat physical network field.
- If you need to map the VXLAN of the SD-WAN instance to a physical network, enter the physnet name in the VXLAN physical network field.
- In the Control network segmentation drop-down list, select the type of segmentation that is used to isolate and secure control planetraffic in the SD-WAN structure:
The control part of the network that controls the transmission of traffic packets through CPE devices. Performs functions such as network discovery, route calculation, traffic prioritisation, and security policy enforcement. The control plane allows centrally managing the network by providing a full-scale view of all performed operations. Consists of an orchestrator and an SD-WAN controller.
- VLAN
- VXLAN
- In the Control segment ID field, enter the segment ID of the management network. The range of values depends on the value selected in the Control network segmentation drop-down list:
- If you selected VLAN, the range of values is 0 to 4,095.
- If you selected VXLAN, the range of values is 0 to 16,000,000.
- In the Port security drop-down list, select whether Port security is enabled or not. Port security enhances network security at the level of Ethernet ports of switches. This functionality prevents unauthorized access to the network by limiting the number of MAC addresses that can be associated with one physical port. When enabled, only trusted devices with predefined MAC addresses can connect to the network. You can select one of the following options:
- Enabled
- Disabled
- In the Permit CIDR field, enter the allowed subnet address for the control network.
- Click Create.
The VIM is added and displayed in the table on the Compute resources tab.
- In the menu, go to the Infrastructure section.
- Configuring a VIM in a uCPE template.
To configure a VIM in a uCPE template:
- In the menu, go to the SD-WAN → CPE templates subsection.
A table of CPE templates is displayed.
- Click the CPE template.
The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand button
. - Select the VIM tab.
The VIM settings are displayed.
- In the Port field, enter the port number for connecting the orchestrator to the VIM identification service. The default setting is
5,000. - In the Protocol drop-down list, select the protocol for connecting the orchestrator to the VIM:
- http (selected by default)
- https
- In the Login and Password fields, enter the name and password of an OpenStack account with administrator privileges to authenticate the orchestrator in the OpenStack cloud platform. If authentication is successful, the orchestrator gains access to managing the virtual infrastructure that is available to the administrator.
- If necessary, specify advanced orchestrator authentication settings in the OpenStack cloud platform:
- In the Administrator project field, enter the name of the administrator project for orchestrator authentication in this project.
- In the Domain field, enter the OpenStack domain name for orchestrator authentication in this domain.
- If you are using a network with the VLAN segmentation type for management, in the VLAN physical network field, enter the VLAN ID.
- In the Behind NAT drop-down list, select whether the VIM is behind NAT (Network Address Translation):
- Enabled to indicate that the VIM is behind NAT and network address translation happens when it interacts with the SD-WAN instance.
- Disabled to indicate that the VIM is not behind NAT. This is the default.
- If necessary, specify the overcommitment ratios for physical resources:
- In the CPU overcommitment field, enter the CPU core overcommitment ratio. The default setting is
1. - In the RAM overcommitment field, enter the RAM overcommitment ratio. The default setting is
1. - In the Disk overcommitment field, enter the disk space overcommitment ratio. The default setting is
1.
Overcommitment ratios let you provision virtual machines with more virtual resources than physically present. This is possible because, as a rule, virtual machines do not simultaneously use all available physical resources to the maximum. For example, if you specify a disk space overcommitment factor of
3, the available virtual disk space can be three times as large as the disk space physically available on the host.When configuring overcommitment, consider how the capabilities of your hardware relate to the requirements of the virtual machines. If you specify a high overcommitment ratio for physical resources and virtual machines happen to use them up, this may lead to the network lagging and/or parts of network becoming completely unavailable.
- In the CPU overcommitment field, enter the CPU core overcommitment ratio. The default setting is
- In the Maximum number of VLANs field, enter the maximum number of VLANs that you plan to use on the VIM. This setting lets the orchestrator keep track of the number of segments available for use. Range of values: 0 to 4,094.
- In the upper part of the settings area, click Save to save the configuration of the CPE template.
- In the menu, go to the SD-WAN → CPE templates subsection.
Article ID: 242217, Last review: Aug 21, 2024