Kaspersky SD-WAN
- About Kaspersky SD-WAN
- Architecture of the solution
- Redundancy and fault tolerance
- Ensuring security
- User interface of the solution
- Authentication in Kaspersky SD-WAN
- Setting and resetting the default page
- Switching between light and dark theme
- Limiting the duration of a user session when idle
- Viewing active user sessions
- Configuring the Docker container log verbosity
- Navigating to the orchestrator API
- Changing the language of the orchestrator web interface
- Licensing of Kaspersky SD-WAN
- Managing Kaspersky SD-WAN domains
- Managing data centers
- Managing VIMs
- Managing subnets
- Viewing logs
- Service Requests
- Managing network services
- User roles and actions with network services
- Uploading a VNF or PNF package to the orchestrator
- Network service template
- Creating a network service
- Configuring network service topology components
- Editing a network service topology
- Deploying a network service
- Checking the consistency of a network service
- Redeploying a network service and its components
- Auto-Healing
- Managing VNFs and VDUs in a network service
- Viewing the network service log
- Deleting a network service
- Managing confirmation requests
- Managing users
- Creating an LDAP connection
- Editing an LDAP connection
- Changing the password of an LDAP connection
- Deleting an LDAP connection
- Creating access permissions
- Editing access permissions
- Cloning access permissions
- Removing an access permission
- Creating a user
- Editing a user
- Changing user password
- Activating or blocking a user
- Deleting a user
- Creating a user group
- Editing a user group
- Deleting a user group
- Managing tenants
- Creating a tenant
- Assigning a VIM to a tenant
- Assigning topology components to a tenant
- Assigning compute resources to a tenant
- Assigning a user to a tenant
- Assigning a user group to a tenant
- Authenticating as an administrator in the tenant's orchestrator web interface
- Editing a tenant
- Deleting a tenant
- Managing SD-WAN instances
- Creating an SD-WAN instance template
- Setting the default SD-WAN instance template
- Deleting an SD-WAN instance template
- Adding a tenant to an SD-WAN instance template
- Removing a tenant from an SD-WAN instance template
- Configuring high availability
- Choosing a transport strategy
- Adding a tenant to an SD-WAN instance
- Removing a tenant from an SD-WAN instance
- Viewing devices assigned to an SD-WAN Instance
- Deleting an SD-WAN instance
- Creating a pool of SD-WAN instances
- Adding an SD-WAN instance to a pool
- Removing an SD-WAN instance from a pool
- Deleting a pool of SD-WAN instances
- Managing CPE devices
- Composition of CPE devices
- Composition of uCPE devices
- SD-WAN managementTunnel management transport service
- Automatic configuration of CPE (ZTP) devices
- CPE device statuses and states
- Ensuring connectivity of CPE devices with SD-WAN Controllers
- Automatically updating the link cost based on maximum speed of the interface
- CPE template
- Creating a CPE device
- Specifying the address of a CPE device
- Registering a CPE device
- Activating or deactivating a CPE device
- Using a web address to activate a CPE device
- Connecting to the CPE device console
- Deleting a CPE device
- Viewing the password of a CPE device
- Restarting a CPE device
- Shutting down a CPE device
- Exporting settings and SD-WAN interfaces from a CPE device
- Exporting network interfaces from a CPE device
- Searching for CPE devices
- Automatic removal and deactivation of a CPE device
- Two-factor authentication of a CPE device
- Orchestrator certificates
- Tags
- Out-of-band management of CPE devices
- Managing CPE devices in SD-WAN controller menu
- Viewing the OpenFlow table of a CPE device
- Viewing statistics of OpenFlow interfaces
- Viewing statistics of queues on LAN interfaces
- Navigating to service interfaces on a CPE device
- Viewing the specifications of a CPE device
- Viewing the usage of a CPE device
- Changing the status of a CPE device in the SD-WAN Controller
- Changing the MAC address of a CPE device
- Terminating the TCP session between a CPE device and the SD-WAN Controller
- Scripts
- Network interfaces
- Configuring the connection of a CPE device to the SD-WAN network
- SD-WAN interfaces
- OpenFlow interfaces
- Service interfaces and UNIs
- Creating a service interface
- Creating an ACL interface
- Viewing the usage of a service interface and an ACL interface
- Deleting a service interface and an ACL interface
- Creating a UNI template
- Creating a UNI in a template
- Editing a UNI in a template
- Deleting a UNI in a template
- Deleting a UNI template
- Creating a UNI
- Editing a UNI
- Deleting a UNI
- Filtering routes
- The BGP dynamic routing protocol
- The OSPF dynamic routing protocol
- The BFD protocol
- Creating or deleting a static IPv4 route
- The VRRP protocol
- Viewing the settings of the CPE device connection to the service provider network
- Configuring the connection of a CPE device to a Syslog server
- Configuring the connection of a CPE device to an NTP server
- Firmware
- Monitoring solution components
- Tunnels, segments, and paths
- Configuring topology
- Quality of Service (QoS)
- Transport services
- Point-to-Point (P2P) transport service
- Point-to-Multipoint (P2M) transport service
- Multipoint-to-Multipoint (M2M) transport service
- Adding a transport service in a CPE template
- Editing a transport service in a CPE template
- Deleting a transport service from a CPE template
- Scenario: Directing application traffic to a transport service
- Traffic mirroring
- Task scheduler
- Configuring the SD-WAN Controller
- Editing the SD-WAN Controller
- Restarting the SD-WAN Controller
- Downloading a backup SD-WAN Controller configuration file
- Restoring the SD-WAN Controller
- Deleting the SD-WAN Controller
- SD-WAN Controller properties
- Viewing information about SD-WAN Controller nodes
- Viewing the topology of a deployed SD-WAN instance
- Contacting Technical Support
- Appendices
- Glossary
- Control plane
- Customer Premise Equipment (CPE)
- Data plane
- DSCP values
- Graceful restart
- Orchestrator
- Physical Network Function (PNF)
- PNF package
- SD-WAN Controller
- SD-WAN Gateway
- Software-Defined Networking (SDN)
- Software-Defined Wide Area Network (SD-WAN)
- Tenant
- Universal CPE (uCPE)
- Virtual Infrastructure Manager (VIM)
- Virtual Network Function (VNF)
- Virtual Network Function Manager (VNFM)
- VNF Package
- Information about third-party code
- Trademark notices
Configuring network service topology components
You can configure network components, connections, and interfaces added to the topology of a network service template or an individual network service. Before you can configure topology components, you must open the topology.
To open the topology:
- In the menu, go to the Catalog section.
The network service management page is displayed.
- Open the topology:
- If you want to open the topology of a network service template, select the template in the Catalog panel.
- If you want to open the topology of a network service, select the network service in the Network services panel.
The graphical design tool with the network service topology is displayed.
Use the following instructions to configure topology components:
- Configuring a VNF in the network service topology
To configure a VNF in the topology:
- Click the VNF.
The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand button
.By default, the Flavours tab is selected, which displays the flavours of virtual machines for the network function. Flavours are described in the VNF package.
- Select the Connection points tab and configure the VNF interfaces:
- In the Type drop-down list, select how you want to assign an IP address and subnet mask to the interface:
- DHCP reservation to assign an IP address and subnet mask using DHCP.
- AUTO to automatically assign an IP address and subnet mask. This is the default setting.
- If in the Type drop-down list, you selected DHCP reservation, follow these steps:
- In the IP field, enter the IP address of the interface.
- In the Mask field, enter the subnet mask.
- In the Description field, enter a brief description of the interface.
- If you want to make the interface a trunk port for processing traffic from multiple VLANs simultaneously, select the Trunk check box. When the check box is selected, the VNF interface is capable of transmitting and receiving tagged VLAN traffic, which contains an additional identifier (VLAN tag) that lets you identify and filter different VLANs in the network. This check box is cleared by default.
- In the Type drop-down list, select how you want to assign an IP address and subnet mask to the interface:
- Select the VNF settings tab and specify general VNF settings:
- In the Name field, enter the name of the VNF.
- In the Description field, enter a brief description of the VNF.
- In the Order field, enter the sequence number for deploying the VNF on the OpenStack cloud platform. When you deploy a network service, the VNF with the lowest number is the first to be deployed. If none of the VNFs added to the network service topology have a sequence number specified, all VNFs are deployed simultaneously.
- Specify the required settings on the remaining tabs. The number of tabs with settings that you can specify depends on the contents of the VNF package. Tabs are added to the package as variables.
If you are having difficulty configuring certain settings, we recommend that you refer to the technical documentation provided by the VNF vendor or contact Kaspersky technical support.
- Click Save in the upper part of the settings area.
- Click the VNF.
- Configuring a PNF in the network service topology.
To configure a PNF in the topology:
- Click the PNF.
The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand button
.By default, the Flavours tab is selected, which displays the flavours of virtual machines for the network function. Flavours are described in the PNF package.
- Select the PNF settings tab and specify general PNF settings:
- In the Name field, enter the name of the PNF.
- In the Description field, enter a brief description of the PNF.
- In the Order field, enter the sequence number for deploying the PNF. When you deploy a network service, the PNF with the lowest number is the first to be deployed. If none of the PNFs added to the network service topology have a sequence number specified, all PNFs are deployed simultaneously.
- Select the DC placement tab and select the data center that is hosting the PNF:
- In the Data center field, enter the name of the data center and select a value from the drop-down list.
- Click Apply.
- Go to the Management IP tab and in the IP fields, enter the IP addresses of the VDU control interfaces within the PNF. To check the availability of an address, click Test connection.
- Specify the required settings on the remaining tabs. The number of tabs with settings that you can specify depends on the contents of the PNF package. Tabs are added to the package as variables.
If you are having difficulty configuring certain settings, we recommend that you refer to the technical documentation provided by the PNF vendor or contact Kaspersky technical support.
- Click Save in the upper part of the settings area.
- Click the PNF.
- Configuring a P2P service in the network service template topology
To configure a P2P service in the topology:
- Click the P2P service.
The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand button
. - In the Name field, enter the name of the transport service.
- If necessary, in the Description field, enter a brief description of the transport service.
- Click Save in the upper part of the settings area.
- Click the P2P service.
- Configuring a P2M service in the network service template topology
To configure a P2M service in the topology:
- Click the P2M service.
The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand button
. - In the Name field, enter the name of the transport service.
- If necessary, in the Description field, enter a brief description of the transport service.
- In the Connection points field, enter the maximum number of connection points of the transport service. Range of values: 2 to 9,999. If you do not specify a value for this setting, the number of connection points is unlimited.
- In the Mode drop-down list, select whether you want to use the Default Forwarding Interface (hereinafter referred to as DFI) in the transport service. If the DFI role is assigned to a service interface, all unknown unicast traffic is sent to that service interface. Possible values:
- Classic if you do not want to use DFI. This is the default setting.
- DFI with FIB on root and leafs if you want to use DFI on the service interface with the Root role. The number of service interfaces with the Leaf role is not limited. Backup service interfaces can be added for each service interface.
- DFI with FIB on leaf if you want to use DFI on the service interface with the Root role. The number of service interfaces with the Leaf role is not limited. Service interfaces with the Leaf role must be on the same CPE device. Backup service interfaces can be added for each service interface. Backup service interfaces with the Leaf role must be on the same CPE device, which must be different from the device hosting the primary service interfaces.
- In the MAC age (sec.) field, enter the time period in seconds during which entries are kept in the MAC table on the SD-WAN Controller. Range of values: 10 to 65,535. The default setting is
300. - In the MAC learn mode drop-down list, select the action to apply to a series of frames when the first frame is sent to the SD-WAN controller to learn the source MAC address:
- Learn and flood means the controller remembers the MAC address of the source and checks for the presence of the destination MAC address in the MAC address table. If the destination MAC address is not in the table, the series of frames is sent to all service interfaces added to the transport service, except for the interface on which the series of frames originally arrived. This is the default setting.
- Learn and drop means the controller remembers the MAC address of the source and checks for the presence of the destination MAC address in the MAC address table. If the destination MAC address is not in the table, the series of frames is dropped.
In both cases, if the destination MAC address is present in the MAC address table, the series of frames is sent to the corresponding service interface.
- In the MAC table size field, enter the maximum number of entries in the MAC table on the SD-WAN controller. Range of values: 0 to 65,535.
0means the number of entries is not limited. The default setting is100. - In the MAC table overload drop-down list, select the policy for processing new MAC addresses when the MAC table SD-WAN Controller is full:
- Flood means traffic with destination MAC addresses that have not been learned previously is transmitted as BUM traffic (Broadcast, unknown-unicast, and multicast). This is the default setting.
- Drop means that traffic with previously destination MAC addresses that have not been learned previously is dropped.
- If necessary, use OpenStack DHCP to automatically assign IP addresses and configuration parameters to virtual machines:
- In the OpenStack DHCP drop-down list, select Enabled.
- In the CIDR field, enter the OpenStack IP address and subnet mask.
- In the Gateway field, enter the IP address of the gateway that routes traffic leaving the virtual network. This gateway connects the virtual network to external networks, such as the internet. The gateway address must be on the same subnet as the virtual machines and other network devices for them to communicate with each other.
- If you want to create a range of IP addresses, under Pools, click + Pool and in the fields that are displayed, enter the start and end values of the range. If a virtual machine requests an IP address, the DHCP server assigns an address from this range.
The range must belong to the same subnet as the gateway, virtual machines, and other network devices so that they can communicate with each other, and the size of the range must accommodate the number of virtual machines on the network. You can create multiple ranges or delete a range by clicking Delete next to it.
- If you want to add a DNS server, under DNS, click DNS, and enter the IP address of the server in the field that is displayed. The DNS server allows virtual machines to resolve domain names to IP addresses.
Information from the DNS server is sent to virtual machines via DHCP options, after which they can interact with devices on the virtual network, as well as gain access to the internet and other external networks using domain names instead of IP addresses. You can add multiple servers or delete a server by clicking Delete next to it.
- Click Save in the upper part of the settings area.
- Click the P2M service.
- Configuring an M2M service in the network service template topology
To configure an M2M service in the topology:
- Click the M2M service.
The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand button
. - In the Name field, enter the name of the transport service.
- If necessary, in the Description field, enter a brief description of the transport service.
- In the Connection points field, enter the maximum number of connection points of the transport service. Range of values: 2 to 9,999. If you do not specify a value for this setting, the number of connection points is unlimited.
- In the MAC age (sec.) field, enter the time period in seconds during which entries are kept in the MAC table on the SD-WAN Controller. Range of values: 10 to 65,535. The default setting is
300. - In the MAC learn mode drop-down list, select the action to apply to a series of frames when the first frame is sent to the SD-WAN controller to learn the source MAC address:
- Learn and flood means the controller remembers the MAC address of the source and checks for the presence of the destination MAC address in the MAC address table. If the destination MAC address is not in the table, the series of frames is sent to all service interfaces added to the transport service, except for the interface on which the series of frames originally arrived. This is the default setting.
- Learn and drop means the controller remembers the MAC address of the source and checks for the presence of the destination MAC address in the MAC address table. If the destination MAC address is not in the table, the series of frames is dropped.
In both cases, if the destination MAC address is present in the MAC address table, the series of frames is sent to the corresponding service interface.
- In the MAC table size field, enter the maximum number of entries in the MAC table on the SD-WAN controller. Range of values: 0 to 65,535.
0means the number of entries is not limited. The default setting is100. - In the MAC table overload drop-down list, select the policy for processing new MAC addresses when the MAC table SD-WAN Controller is full:
- Flood means traffic with destination MAC addresses that have not been learned previously is transmitted as BUM traffic (Broadcast, unknown-unicast, and multicast). This is the default setting.
- Drop means that traffic with previously destination MAC addresses that have not been learned previously is dropped.
- If necessary, use OpenStack DHCP to automatically assign IP addresses and configuration parameters to virtual machines:
- In the OpenStack DHCP drop-down list, select Enabled.
- In the CIDR field, enter the OpenStack IP address and subnet mask.
- In the Gateway field, enter the IP address of the gateway that routes traffic leaving the virtual network. This gateway connects the virtual network to external networks, such as the internet. The gateway address must be on the same subnet as the virtual machines and other network devices for them to communicate with each other.
- If you want to create a range of IP addresses, under Pools, click + Pool and in the fields that are displayed, enter the start and end values of the range. If a virtual machine requests an IP address, the DHCP server assigns an address from this range.
The range must belong to the same subnet as the gateway, virtual machines, and other network devices so that they can communicate with each other, and the size of the range must accommodate the number of virtual machines on the network. You can create multiple ranges or delete a range by clicking Delete next to it.
- If you want to add a DNS server, under DNS, click DNS, and enter the IP address of the server in the field that is displayed. The DNS server allows virtual machines to resolve domain names to IP addresses.
Information from the DNS server is sent to virtual machines via DHCP options, after which they can interact with devices on the virtual network, as well as gain access to the internet and other external networks using domain names instead of IP addresses. You can add multiple servers or delete a server by clicking Delete next to it.
- If you want to allow sharing of the M2M service between different network services, select the Share network service check box. This check box is cleared by default.
- Click Save in the upper part of the settings area.
- Click the M2M service.
- Configuring a shared network (OS 2 SHARED) in the network service template topology
To configure a shared network in the topology:
- Click the shared network.
The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand button
. - In the Name field, enter the name of the shared network.
- If necessary, in the Description field, enter a brief description of the shared network.
- Click Save in the upper part of the settings area.
- Click the shared network.
- Configuring a virtual router (OS vRouter) in the network template service topology
To configure a virtual router in the topology:
- Click the virtual router.
The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand button
. - In the Name field, enter the name of the virtual router.
- If necessary, in the Description field, enter a brief description of the virtual router.
- To set the 'up' value for the operating state of the virtual router, select the Administrative state check box. This check box lets you manage the operating state of the router without having to delete and recreate it. When this check box is selected, the router can relay traffic. This check box is cleared by default.
- Click Save in the upper part of the settings area.
- Click the virtual router.
- Configuring a VLAN in the network service topology.
To configure a VLAN in the topology:
- Click the VLAN.
The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand button
. - In the Name field, enter the name of the VLAN.
- If necessary, in the Description field, enter a brief description of the VLAN.
- If necessary, use OpenStack DHCP to automatically assign IP addresses and configuration parameters to virtual machines:
- In the OpenStack DHCP drop-down list, select Enabled.
- In the CIDR field, enter the OpenStack IP address and subnet mask.
- In the Gateway field, enter the IP address of the gateway that routes traffic leaving the virtual network. This gateway connects the virtual network to external networks, such as the internet. The gateway address must be on the same subnet as the virtual machines and other network devices for them to communicate with each other.
- If you want to create a range of IP addresses, under Pools, click + Pool and in the fields that are displayed, enter the start and end values of the range. If a virtual machine requests an IP address, the DHCP server assigns an address from this range.
The range must belong to the same subnet as the gateway, virtual machines, and other network devices so that they can communicate with each other, and the size of the range must accommodate the number of virtual machines on the network. You can create multiple ranges or delete a range by clicking Delete next to it.
- If you want to add a DNS server, under DNS, click DNS, and enter the IP address of the server in the field that is displayed. The DNS server allows virtual machines to resolve domain names to IP addresses.
Information from the DNS server is sent to virtual machines via DHCP options, after which they can interact with devices on the virtual network, as well as gain access to the internet and other external networks using domain names instead of IP addresses. You can add multiple servers or delete a server by clicking Delete next to it.
- If you want to allow sharing of the network between different network services, select the Share network check box. This check box is cleared by default.
- If you need to segment the network into multiple VLANs, in the Segmentation ID field, enter the VLAN ID.
- Click Save in the upper part of the settings area.
- Click the VLAN.
- Configuring a VXLAN in the network service topology.
To configure a VXLAN in the topology:
- Click the VXLAN.
The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand button
. - In the Name field, enter the name of the VXLAN.
- If necessary, in the Description field, enter a brief description of the VXLAN.
- If necessary, use OpenStack DHCP to automatically assign IP addresses and configuration parameters to virtual machines:
- In the OpenStack DHCP drop-down list, select Enabled.
- In the CIDR field, enter the OpenStack IP address and subnet mask.
- In the Gateway field, enter the IP address of the gateway that routes traffic leaving the virtual network. This gateway connects the virtual network to external networks, such as the internet. The gateway address must be on the same subnet as the virtual machines and other network devices for them to communicate with each other.
- If you want to create a range of IP addresses, under Pools, click + Pool and in the fields that are displayed, enter the start and end values of the range. If a virtual machine requests an IP address, the DHCP server assigns an address from this range.
The range must belong to the same subnet as the gateway, virtual machines, and other network devices so that they can communicate with each other, and the size of the range must accommodate the number of virtual machines on the network. You can create multiple ranges or delete a range by clicking Delete next to it.
- If you want to add a DNS server, under DNS, click DNS, and enter the IP address of the server in the field that is displayed. The DNS server allows virtual machines to resolve domain names to IP addresses.
Information from the DNS server is sent to virtual machines via DHCP options, after which they can interact with devices on the virtual network, as well as gain access to the internet and other external networks using domain names instead of IP addresses. You can add multiple servers or delete a server by clicking Delete next to it.
- If you want to allow sharing of the network between different network services, select the Share network check box. This check box is cleared by default.
- If you need to segment the network into multiple VXLANs, in the Segmentation ID field, enter the VXLAN ID.
- Click Save in the upper part of the settings area.
- Click the VXLAN.
- Configuring a flat network in the network service template topology.
To configure a flat network in the topology:
- Click the flat network.
The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand button
. - In the Name field, enter the name of the flat network.
- If necessary, in the Description field, enter a brief description of the flat network.
- If necessary, use OpenStack DHCP to automatically assign IP addresses and configuration parameters to virtual machines:
- In the OpenStack DHCP drop-down list, select Enabled.
- In the CIDR field, enter the OpenStack IP address and subnet mask.
- In the Gateway field, enter the IP address of the gateway that routes traffic leaving the virtual network. This gateway connects the virtual network to external networks, such as the internet. The gateway address must be on the same subnet as the virtual machines and other network devices for them to communicate with each other.
- If you want to create a range of IP addresses, under Pools, click + Pool and in the fields that are displayed, enter the start and end values of the range. If a virtual machine requests an IP address, the DHCP server assigns an address from this range.
The range must belong to the same subnet as the gateway, virtual machines, and other network devices so that they can communicate with each other, and the size of the range must accommodate the number of virtual machines on the network. You can create multiple ranges or delete a range by clicking Delete next to it.
- If you want to add a DNS server, under DNS, click DNS, and enter the IP address of the server in the field that is displayed. The DNS server allows virtual machines to resolve domain names to IP addresses.
Information from the DNS server is sent to virtual machines via DHCP options, after which they can interact with devices on the virtual network, as well as gain access to the internet and other external networks using domain names instead of IP addresses. You can add multiple servers or delete a server by clicking Delete next to it.
- If you want to allow sharing of the network between different network services, select the Share network check box. This check box is cleared by default.
- Click Save in the upper part of the settings area.
- Click the flat network.
- Configuring interfaces in the network service topology.
To configure an interface in the topology:
- Click the interface.
The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand button
. - In the Name field, enter the name of the interface.
- If necessary, in the Description field, enter a brief description of the interface.
- Click Save in the upper part of the settings area.
- Click the interface.