Huawei SD-WAN Solution For Technical Training 2017Q1 V1.0

Huawei SD-WAN Solution for
Technical Training 2017Q1 V1.0

www.huawei.com
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential

Agenda
 SD-WAN Overview
 SD-WAN Scenarios and Requirements
 Huawei SD-WAN Solution
 SD-WAN Architecture
 ZTD (Zero Touch Deployment)
 Traffic Monitoring and Path Control
 Routing in Mixed Scenarios
 HA (High Available) , Security and WAN Acceleration
 SD-WAN CPE Maintenance
 To use SD-WAN System by Web Portal
 Annex: Huawei SD-WAN Portal Introduction
HUAWEI TECHNOLOGIES CO., LTD. Page 2

Huawei SD-WAN/CloudVPN Solution Overview
AC
3 ① SD-WAN is a subset of CloudVPN

 SD-WAN focus on traffic optimization/ZTD
1
② The powerful traditional network functions of CPE is
Edge Cloud
the basis of business success
SD-WAN  Huawei CPE global shipments ranked 2nd
2
CPE ③ Openness and evolution
 Supports Edge Cloud/VAS/VPC
LAN Equipment ３  Supports SD-LAN evolution
SD-LAN
SD-WAN is a simple solution for big enterprise service in initial phase of SDN/NFV, and it can be expanded to
CloudVPN easily to provide more services and functions.

SD-WAN Value
SD-WAN Applications & Services
Controller
Cloud service vPBX/vCC/vUC IoT Internet
 E2E Connect Every Thing on MPLS/Internet
SD-WAN GW by SD-WAN
 E2E Manageable Network
 E2E Controllable Network
MPLS/Internet
 E2E Secure Network
Branch 1 Branch 2 HQ
Enterprise

SD-WAN: E2E Manageable Network
SD-WAN Every thing is visible

Controller  Topology visualization
 Equipments visualization
 Links visualization
 Application visualization
 Alarm visualization
 ……
SD-WAN GW Every thing is zero touch
 CPE deployment ZT
MPLS/Internet  Upgrading and patching ZT
 Troubleshooting ZT
 ……
Branch 1 Branch 2 HQ We can provide more manageable functions
according to SB requirement

SD-WAN: E2E Controllable Network
SD-WAN Every thing is set by web portal

Controller  Application path policy setting
 ACL setting
 WAN, LAN and WLAN setting
 ……
Every thing is used on-demand
 Bandwidth
SD-WAN GW  QoS
 Network functions
MPLS/Internet  ……
Branch 1 Branch 2 HQ We can provide more controllable functions

according to Customer requirement

SD-WAN: E2E Secure Network
SD-WAN
Controller E2E VPN security
 IPSec VPN
 IKEv2 + AES-256 encryption
SSH/SSL Internet
ACL Powerful NG(Next Generation) FW
ACL MPLS/Internet
URL filter
IPS
 ACL
URL filter File filter  URL filter
IPS DDOS
 IPS
 File filter
 DDOS
 Anti-Virus
 ……
IPSec VPN
We can provide more security functions
according to Customer requirement

SD-WAN Evolution for Future (1/2)
--From SD-WAN smoothly expand to SD-LAN
AC (Agile Controller) Agile Controller can provide SD-WAN

DCN WAN SD-LAN SD-WAN
and SD-LAN solution for SP at the
same time
Agile Controller Platform
Evolution to SD-Enterprise solution
by Agile Controller in the future
MPLS/Int
ernet
CPE CPE
LAN/Campus Network LAN/Campus Network

SD-WAN Evolution for Future (2/2)
--From SD-WAN network to rich services
Cloud Service Based-on SD-WAN Cross-national enterprise SD-WAN network
CPE
CPE CPE MPLS CPE

MPLS
/Internet /Internet
Country X China
CPE
CPE
Cloud DC

Agenda
 SD-WAN/CloudVPN Overview

Typical Scenarios of SD-WAN
• Operator provides the SD-WAN Controller for multi-enterprises.
• As a tenant of the Controller, each enterprise can manage all services and nodes within its domain.
Control Domain X（Visible Topo for Tenant X）

Site1
MPLS
Enterprise
X SD-WAN
Enterprise X Controller
HQ/DC
Site2
Internet
Operator
Site1 Control Domain Y（Visible Topo for Tenant Y）
Enterprise
Y Enterprise Y
HQ/DC
Site2 MPLS
Control Domain for
Operator

Typical Service Topologies of SD-WAN
Full-mesh Direct to vDC/vPC Local Internet Mode
HQ Branch HQ/DC
Branch
HQ
Branch internet internet

Branch
VPC
HQ/DC Hub-Spoke
Unified POP for vDC/vPC Global internet mode
Branch Branch internet
Branch VPC
Branch
HQ/DC
Hub
Layered HQ
Branch
Sub Sub Hub POP
Hub
Branch Branch Branch
Site to Site Site to DC Site to Internet

Typical Site Access Scenarios of SD-WAN
Enterprise Enterprise WAN 1 WAN 2 WAN 2

Enterprise WAN 1
Internal Internal Internal
Network Network Network
CPE CPE CPE CPE

1 3
2
WAN WAN 1 WAN 2 WAN 2

WAN 1
HQ/DC DC1 DC2
1
2
1. single link singe CPE 1. Single HQ/DC（Hub）

2. dual links singe CPE 2. Dual HQ/DC（Hub）
3. dual links dual CPE
Site Topology Hub Site Topology

Typical Site LAN Scenarios
CPE CPE
CPE
Direct to hosts Direct to LSW Dynamic

Static Routing
routing
L2 LSW
L3 LSW
1 2
5
CPE CPE
CPE
VRRP
VRRP
Direct to Dynamic Static Rout
Direct to LSW routing ing
LSW Dynamic
routing
LSW LSW
LSW
3 LSW
4 6
7

Typical Site CPE Types
1. Standard CPE Branch Branch

Branch
Branch
2. Thick CPE Thin CPE
Thick CPE vCPE
Standard CPE
3. vCPE + uCPE VAS
POP
2 3
1 vCPE
4. Thin CPE + vCPE VAS
L2/L3 Leased Line

or Internet
3
vCPE
Enterprise DC

Typical Requirements 1/3
Dual uplink
MPLS internet
PE PE
Guaranteed Best effort Wireless
LTE
 Overlay VPN can be built or changed on-demand on two MPLS links

 LTE link is used as backup link

CPE Specification Understanding App Monitoring Understanding
1. CPE supports multi-type WAN interface 1. SD-WAN solution can identify apps
 Type A-1: FE*2 (WAN), GE*4(LAN), LTE, WiFi
 Type A-2: GE*1 (WAN), GE*4(LAN), LTE, WiFi
 Type B: GE*2 (WAN), GE*4(LAN), GE*4(LAN, Option),
2. SD-WAN solution can display traffic by tenant
WiFi  Traffic of each application
 Traffic of each link
2. CPE supports F/W  Traffic of each site
 F/W (ACL, Package Filter, ASPF), IPS, URL filter  Traffic proportion of applications
3. CPE supports to deploy NFV in the future 3. SD-WAN solution can display quality by
 CPE includes X86 module tenant
 3rd party application can be deployed  Latency, loss and jitter of per application
 Latency, loss and jitter of per link
4. CPE cost is very important
ASPF: application specific packet filter

App Control Understanding App Redundancy Understanding
1. SD-WAN solution can set QoS priority of apps 1. SD-WAN solution can set path policy of
apps according to QoS priority, for example
2. SD-WAN solution can ensure QoS of apps  High priority apps are carried on guarantee
according to QoS priority within a link, for link
example  Low priority apps are carried on broadband
 When the bandwidth of guaranteed MPLS link is link
not enough, low priority apps will be abandoned
or limited 2. SD-WAN solution can ensure QoS of apps
according to quality of link or apps between
3. SD-WAN solution can control apps to access different, for example
WAN  When the quality of broadband link is bad,
 SD-WAN solution provides F/W function, for apps will be switch over guarantee MPLS link
example, ACL and URL filter according to policy
 Branch can not access Youtube and facebook by
ACL or URL filter

Agenda

Huawei SD-WAN Architecture
SD-WAN portal Architecture is simple

Agile Controller
Agile Controller with SD-WAN portal
CPE/vCPE
Deployment is simple
CPE ZTD
Enterprise 1
HQ
CPE Support large-scale rapid deployment
Branch 1
CPE
vCPE1 Easy to evolution in the future
CPE Hub
Branch 2 MPLS Supports SD-LAN
vCPE2
Enterprise 2
CPE Hub Supports VNF
HQ
CPE DC
Branch 1

All Interfaces Are Security
Agile Controller
Log server
① SSH: For Netconf and CLI
4
Http2.0 ② SSL: For Http2.0 and Syslog
3 Netconf (Yang) (ProtoBuffer)
③ Netconf (Yang): For SD-WAN
configuration and alarm information
collection
④ Http2.0(ProtoBuffer): For
5 information of quality and traffic of
CLI
1 SSH 6 link and application collection
⑤ CLI: For traditional or special
Syslog
configuration of CPE
⑥ Syslog: For system log and operation
SSL
log of CPE
CPE CPE CPE 2

Huawei SD-WAN Architecture
Tenant Mgt Carrier Mgt BSS
Architecture is simple
Controller
Portal Agile Controller with SD-WAN portal
Equipment VPN
Monitor
Path Security
VNF-M
CPE/vCPE
Mgt Mgt Control Policy
Deployment is simple
Netconf +Yang model
Site #1
Http2.0+Protobuf HQ/DC CPE ZTD
CPE
CPE Support large-scale rapid deployment
MPLS
CPE Easy to evolution in the future
Site #2
Supports SD-LAN
vCPE
Supports VNF
Internet VAS
Site #3
AR1000v
CPE

Agenda

ZTD for Three Scenarios
HQ DHCP Server HQ HQ
Agile Agile Agile
Controller Controller Controller
DHCP relay
DHCP Server DHCP Server

PE PE
Internet L2 MPLS Internet L3 MPLS Internet
PE DHCP relay PE
Branch 1 Branch 2 Branch 1 Branch 2 Branch 1 Branch 2
Scenario 1: Carrier provides L2 MPLS Scenario 2: Carrier provides L3 MPLS to Scenario 3: Only Internet
to enterprise enterprise
Agile Controller is deployed in public internet, and belong to SP

Generally, CPE of HQ will be manually pre-configured

ZTD Process Overview
1 2 3 4 5 6
AC sends
Build
Acquire AC sends Configuratio
CPE acquire Overlay VPN
MPLS Public Register on PPPoE ns/ policies
internet on
IP AC configuratio including
public ip MPLS/Intern
(DHCP/Email) n file to CPE IPsec Tunnel
et links
info to CPE
After step 6, the internal network of enterprise is fully connected with security.

IP Address Configuration of CPE with ZTD
Agile
IP Address Obtained by Mark Mode
Controller
LAN GE1/0/2 DHCP server AC assigns LAN-
(Enterprise) side IP address to
LAN: 192.168.1.0/24 DHCP server
AC: 10.11.11.1
MPLS GE1/0/0 DHCP server L2 MPLS ZTD by
(Enterprise) DHCP
LAN GE1/0/2: 192.168.1.1 DHCP server L3 MPLS
(Carrier)
Set IP address ZTD by
MPLS GE1/0/0: Internet GE1/0/1: by logging in Email
10.168.1.10 10.128.1.10 CPE
VPN Tunnel: VPN Tunnel: Internet PPPoE AC sends PPPoE ZTD by
172.168.1.10 172.128.1.10 GE1/0/1 configuration file to DHCP
CPE
PPPoE Set account and ZTD by
CPE need to configure IP address password by Email
logging in CPE
 LAN, WAN (MPLS, Internet), VPN Tunnel (MPLS,
Internet) VPN Tunnel Agile Controller
All IP address need to be unified planning, Agile Controller DHCP ZTD by
and not conflict DHCP
Email ZTD by
Email

ZTD Process by DHCP
 Enterprise is responsible for pre- Pre-configure Pre-configure
configure DHCP when L2 MPLS MPLS IP address pool  Account and password of PPPoE file
 Carrier is responsible for pre-  10.168.1.0/24  LTE configuration file
configure DHCP when L3 MPLS AC IP address  CPE policy, for example, app path policy
 10.11.11.1  ……
Step 1 CPE (Branch) DHCP AC Internet CPE (HQ)

Power-on IP: 10.11.11.1 MPLS: 10.168.1.1
Plug cable Internet: 10.128.1.1
DHCP Request
MPLS port IP address: 10.168.1.10

AC IP address: 10.11.11.1
Register to AC with ESN
Send configuration file

CPE auto
two-way authentication
reboot
PPPoE
Internet port IP address: 10.128.1.10
Configure policy
Build Overlay VPN on MPLS link (10.168.1.10)

Build Overlay VPN on Internet link (10.128.1.10)

Pre-configure
ZTD Process by Email  Email content, for example, configuration guide
 CPE policy, for example, app path policy
 ……
PC/Mobile Phone CPE (Branch) AC Internet CPE (HQ)

Step 1 Send email
Mgt IP: 192.168.0.11 IP: 10.11.11.1
MPLS: 10.168.1.1
Internet: 10.128.1.1
 Receive email with URL from IT manager of HQ
 URL: http://192.168.0.11/#AC= 10.11.11.1
&UserID =123& SiteID=456
Power-on
Step 2 Plug cable
Connect PC/Phone to CPE
Step 3 Click URL, log in Web portal of CPE and configure CPE, then Click Active
Register to AC with ESN

Network Type MPLS Internet
PPPoE
Address Type DHCP Static PPPoE
Internet port IP address: 10.128.1.10
Public IP Address 10.168.1.10
Configure policy
Subnet Mask 255.255.255.0
Gateway 192.168.1.1 Build Overlay VPN on MPLS link (10.168.1.10)
Active Cancel Build Overlay VPN on Internet link (10.128.1.10)
If choice DHCP, the process is same the process of ZTD by DHCP, the differences are
DHCP server does not be pre-configured AC IP address brought by URL
AC does not be pre-configured the account and password of PPPoE configured by CPE web portal

Overlay VPN: Flexible VPN Support
Hybrid links: MPLS/Internet/LTE
2000+ branch supported, suitable for large

MPLS
enterprise
Internet
CPE CPE
Rich routing protocol supported: Static
LTE
Routing/RIP/OSPF/ISIS/BGP
Overlay VPN
Rich VPN supported:
GRE/IPSec/VxLAN/DSVPN
DSVPN: Dynamical Smart VPN

Overlay VPN--DSVPN
Solution Overview
Hub-Spoke Tunnel
Spoke-Spoke 1. Flexible Topology: Hub-Spoke & Full Mesh

dynamic Tunnel
2. Security Connection: Secure, encrypted side-to-side
IPSec HQ
communications solutions for using IPSec.
3. VPN on Demand：With SDN Controller, multi-

homed connectivity deployment on Demand.
MPLS/Internet Internet
Highlights
 Up to 2000 Sites Supported
 Support Static/BGP/OSPF/RIP Routing Protocol
 Support DSVPN/IPSec
Branch1 Branch2
Branch3

Auto Build Overlay VPN by DSVPN
Headquarter To auto build VPN between branch and HQ

•Public IP: 10.168.1.10
•VPN tunnel0: 172.168.1.10 When physical IP of branch is changed, VPN can be
built automatically
NHRP
NHRP
mGRE VPN
To build VPN between branch and branch on-
IPSec RIP/OSPF/BGP
demand
Physical link When the traffic from branch 1 to branch 2, it will
NHRP flow trigger to build VPN between branch 1 and branch 2
Route learning
Flow will directly be forwarded between branches
Branch 1 Branch 2
(Spoke) (Spoke) DSVPN supports RIP/OSPF/BGP for learning IP
•Public IP: 10.168.1.11 •Public IP: 10.168.1.12 address of host between sites
•VPN tunnel0: 172.168.1.11 •VPN tunnel0: 172.168.1.12
 Branch registration to HQ with public IP address and VPN

tunnel address using NHRP protocol
 HQ creates NHRP-peer table including relationship of public IP
and VPN tunnel address NHRP: Next Hop Resolution Protocol
DSVPN: Dynamic Smart VPN

Service Awareness(DPI) Policy Setting App Traffic Monitor App Path Control
Agenda

AR DPI Architecture
Huawei DPI technology names SA, SA is Service Awareness
① IP Forward received traffic flow, and then
find application ID in flow table according
AR to 5-tuple
 If there is application ID in flow table, IP
SA
SDB* Forward directly forward flow with
application ID, go to step 5
 If there is not application ID, go to step 2
SA Engine
Service handle based ② IP-Forward forward flow to SA
2 3 application ID ③ SA Engine identify application or protocol
Traffic
according to SDB
Flow App Traffic App Path App
IP-Forward
Monitor Control QOS  Generates application ID
1 5  Flow return back IP-Forward
4 ④ IP-Forward record application ID with 5-
tuple to Flow Table
Flow Table
⑤ IP-Forward forward flow with application
ID
SDB is signature database, and record signature of protocol and application
Flow Table records application identified with application ID according to 5-tuple
 Aging time of Flow Table is 60s *SDB: Signature DB

SDB Includes Applications Category and Application List Database

Data Backup AppDownload
1 Electronic Business
3 File Sharing
5 General_UDP
Business Systems Email FileShare_P2P
General Internet General General_TCP
Enterprise Application IM_File_Transfer
Other
Finance Network_Shorage
Remote Access Search_Engines
Utility
Game
Web_Browsing
IM
Cloud Service
2 Media Sharing 4
Encrypted_Tunnel
PeerCasting Network
Entertainment Infrastructure
Social Networking
IP Protocol
VoIP
Network Admin Includes 1600+ applications
Web Video
Proxy
Huawei provides SDB, and update it weekly

Customer can get latest SDB from http://sec.huawei.com/sec/web/index.do#
CPE can upgrade SDB without interrupting the service
Customer can self-defines application, and update it to CPE without interrupting the service
And customer can also send application identification requirement to Huawei, and Huawei updates SDB

SA Technology(1): Identify Process

SA identify process
2
1 ① Identify sub-protocol
Identify Identify
Flow
Sub-
3 ② Identify protocol according
Protocol to sub-protocol
Identify
Protocol Application ③ Identify application
Identify 2 according to protocol
Flow
format
For example

SA Technology(2): Identify Method

1. Port-based
• Match well-known port
5. Static Signature-based identification
• Single and multi pattern matching
Example: HTTPS: 443, SMTP: 25, HTTP:80
• Regex matching
• Multi-packet matching
2. Dynamic Signature-based
identification - PCREX Example: Webmail, Yahoo protocol
content: ”mail.yahoo.com”
• Single and multi pattern matching
• Multi-packet matching HTTP GET /Index.htm HTTP/1.1
IP Header Header Host: www.huawei.com
Example: Fassert((%PAYLOAD_LEN% >= ^.{4} )
6. Association identification
3. DNS relation • Identify media flow by key info from control flow
• Identification based on other flow identification
• Parse DNS packets to get the mapping of host
(peer list)
name and IP address. The flow will be identified
when matching the IP in mapping table. Example: SIP, FTP
Example: Facebook, Youtube
 All methods are combined 7. Behavioral Analysis
4. Arithmetical identification together to achieve high • Based on multi-packet correlation
• Continuous three packets with the same
accuracy of SA. • Packet based statistics, inter-packet times multi-
flow analysis
direction present arithmetical logic in the same
position Example: Skype, Qvod
Example: RTP, RTCP

Example 1: BitTorrent, Signature + Association
Seed Publisher Tracker Server
1. Download torrent file

Resource Publisher
3. Resource download
1
2
Data flow 2
4.Resource exchange
Download User Peter Download User Alex
① Identify control flow by signature based method. Get resource publisher’s IP & Port and cache it.
② If data flow’s destination IP & Port is matched with the cached, it can be considered as “BitTorrent ”,
which is called “association identification”

Example 2: Facebook HTTPS Traffic, Static Signature + DNS

Relation
 SA of CPE create IP-app stable
 23.173.52.88 Facebook
 10.11.11.1Youtube
…
DNS Server
DNS flow
(Facebook.com 23.173.52.88)
Facebook Client 1
IP:23.173.52.88
2
L7+: Facebook
IP:23.173.52.88
L7: HTTPS
1 Static signature method

1.2 DNS relation method SNI: Server Network Indication

Example 3: How to Identify SSL/TLS Web Application without

Decryption
CPE analysis ClientHello or ServerHello of HTTPS/SSL, if they bring SNI, CPE can identify it

SSL/TLS Web Application Identification without Decryption

Web Application beard HTTPS/SSL
Technology Category Amazon
HTTPS/SSL AmazonS3
Web application
660 items HTTP
AppleiCloud
Browse-based AppleMap
NS_Namipan_Common
eBay
AdobeFlashPlayer 136 items
Facebook
Client-server STUN
google
ICY
Google_Docs
Networking RTMP
Sky_Now_TV
Itunes
Twitter
Peer-to-peer TaoBao
Yahoo_Common
HTTP_Proxy
Youtube
Unassigned
……
Some web applications beard HTTPS/SSL can be identified by AR without decryption

Huawei’ s AR can NOT decrypt HTTPS/SSL flow

DPI and Policy Working Principle

SDB app description: part of Signature DB
AC KEY Value
Key1 Application Catalog 1 SDB app description is
SDB 1 Key2 Application Name loaded into AC
Key3 Application ID
2 AC issues policy with
Policy with application name app name to AR
AR AR
3 AR create policy table
according to policy
configuration
Configure policy with application name KEY Value
Key1 Application Catalog
AR 2 Policy SDB app Key2 Application Name
Configuration description
Key3 Application ID
Control plane
Flow with Application ID
KEY Value
Forward plane
Policy Table 3 Key1 Application ID
Policy ….

Example: Application Path Control Using SA Technology

Link A
NQA A ① Define Link Group, each link get
MPLS Link performance from NQA Test-
instance
NQA B
Link B ② Define ACL and App name to
smart-policy-
route classify the traffic according to 5-
Link Group A Link A NQA A tuple and Application ID
1
Link Group B Link B NQA B ③ Define delay, jitter and packet loss
ACL xxxx or threshold for selected ACL or

Service Map A
Application ID
2
application
Set Threshold 3
④ ⑤Set primary link group and
 Dimensions of Service
Map is an application or
Set primary Link 4 second link group for ACL and
Group
an application type, or
an application group Set Second Link 5 Application
Group

Huawei SD-WAN Monitor Solution Overview

Agile Controller Link Quality Monitor
 NQA is used
Http2.0
 Latency, loss and jitter of link
(ProtoBuffer)
per site
CPE CPE  Application Traffic Monitor

NQA: Link Quality
 Netstream is used
 Bandwidth of per application
Flow IPFPM: Application Quality
DPI Netstream
Application traffic
CPE  Application Quality Monitor
 ART/IPFPM is used
 Latency, loss and jitter of per
Quickly detection, about 1s, and data accuracy application
No impact on service
Mass applications: about 1600+
Report information to Agile Controller by HTTP2.0 with Protobuffer
 Good performance for big network
 No SNMP
Agile Controller can provide integrated quality index NQA: Network Quality Analysis
 MOS of Voice, VMOS of Video, AQM of application, LQM of link IP FPM: Flow Performance Measurement Framework

Link Quality Monitor: NQA
Agile Controller
CPE
CPE
NQA server  Source CPE A send NQA package (150bytes) with timestamp (TA1/TB1)
NQA client to destination CPE B in a period
(Branch 1) CPE (HQ)
 Destination CPE B receives NQA package, then return NQA package
with timestamp (TA2/TB2) to source CPE A
NQA client  Source CPE A calculate
(Branch 2)  Latency: TA2-TA1, TB2-TB1
NQA package  Jitter: (TA2-TA1)-(TB2-TB1)
 Loss ratio
NQA package occupied bandwidth is very small, and about 7kbps

NQA can quickly check link quality within 1s
NQA: Network Quality Analysis

Application Traffic Monitor: Netstream
Agile Controller
CPE
Statistics
Http2.0 (ProtoBuffer)
Facebook
Flow
CPE DPI Netstream
CPE
DPI+Netsteam
DPI+Netsteam CPE (HQ) 1. Netstream supports 1:1 flow
(Branch 1) sampling
DPI+Netsteam 2. Netsteam is similar as Netflow, C-
(Branch 2) flow and J-flow
DPI can identify 1600+ applications
Better information improves traffic accuracy by 1:1 flow sampling
No additional hardware

Application Quality Monitor: IP FPM
Agile Controller
DCP of CPE measure application quality based on

Latency, loss and jitter
http2.0
real flow
MCP of CPE(HQ) reports quality data of per
Flow Dyeing application per link to Agile Controller
Internet
CPE CPE  Latency, loss and jitter of per application
IPFPM proposal of IETF by Huawei: draft-chen-ippm-
DPI+DCP DPI+DCP+MCP
(Branch) coloring-based-ipfpm-framework-01
(HQ)
Passive monitor each flow
No additional traffic, no effect to network
Flexible detection methods
 Application-based and IP-5-tuple-based
IP FPM can quickly check application quality within 1s DCP: Data Collecting Point
MCP: Measurement Control Point
IP FPM: Flow Performance Measurement Framework

？ Service Awareness(DPI) Policy Setting App Traffic Monitor App Path Control
Application Path Control based on QoS Priority
Agile Controller HQ 192.168.0.0/24
Path control policy Hub1 Hub2

Priority Application Primary Link Second Link
10 VoIP MPLS Internet
5 Email Internet MPLS
MPLS
Internet
VoIP
Email
Spoke1
Site1
192.168.1.0/24

Application Path Control based on Link Quality

HQ 192.168.0.0/24
Agile Controller
Path control policy

Priority Application Primary Link Second Traffic Path Hub1 Hub2
Link Policy

5 Video Internet MPLS When packet loss
(Threshold: of internet > 10% & MPLS
Packet loss > Latency >300ms, Internet
10% & Latency steer traffic to
> 300ms) MPLS
Video
Application switchovers link within 1s Switchover
Video
Internet link:
Packet loss >10%
When bandwidth of MPLS is not enough, VoIP
Latency >300ms
Email
application will be QoS controlled
Spoke1
 CAR, Shaping, Scheduling
When internet link quality restored, application Site1
will switchover back internet link
192.168.1.0/24

Application Path Control based on Application Quality

HQ 192.168.0.0/24
Agile Controller
Path control policy

Priority Application Primary Second Link Traffic Path Policy Hub1 Hub2
Link
5 Video Internet MPLS When packet loss of Video>

10% & latency of MPLS
Video>200ms, steer traffic to Internet
MPLS VPN;
When packet loss of internet
< 5% & Latency <100ms, Application Performance:
Video
steer back traffic to internet
Switchover Packet loss >10%
Video Latency >300ms
Application switchovers link within 1s VoIP
Email
When bandwidth of MPLS is not enough, application will be
Spoke1
QoS controlled
 CAR, Shaping, Scheduling
Site1
When internet link quality restored, application will
switchover back internet link 192.168.1.0/24

Application Path Control based on High Reliability

HQ 192.168.0.0/24
Agile Controller
Path control policy

Hub1 Hub2
Priority Application Primary Link Second Link Backup Link
10 VoIP MPLS VPN Internet LTE
5 Video Internet MPLS VPN LTE
MPLS/Internet
LTE
When there is a fault on the MPLS, traffic is automatically
steered to the Internet WAN link Fault
When both MPLS and Internet are fault, traffic is VoIP
VoIP
automatically steered to LTE link (If there is LTE, LTE is Video
remaining connectivity status for fast switching) Switchover
Video
Traffic switchovers link within 1s Spoke1
When MPLS and Internet are restored, traffic is

Site1
automatically switchover back MPLS or Internet
according to policy of QoS priority
192.168.1.0/24

Agenda

SD-WAN Deployment Network Scenarios
AWS/Microsoft Cloud DC
Azure/Office SD-WAN Hub
365/vCloud Air/White
Cloud
V
R Internet  Site and site are directly interconnected
F
 SD-WAN and Traditional Coexist
PE PE  Flexible Internet gateway

MPLS MPLS  SD-WAN Hub for multi-enterprise
(Best Effort) (Guarantee)
PE
PE accessing cloud service
PE PE
Internet
PE
HQ T-CPE: Traditional CPE
S-CPE: SD-WAN CPE
To carrier cloud service

Branch 1 Branch 2 Branch 3 Site and site interconnected
To Internet export
Enterprise A Enterprise B

Routing Learning Method (1/3): Static Routing
S-CPE1 (example)
Agile Path Type Destination Hop By
Controller T-CPE Underlay 168.10.10.* Eth0:10.168.10.1 Manual
Public IP Cloud DC
168.10.10.* Eth1:10.168.10.1 Manual
10.10.1.1 SD-WAN Hub (S-CPE)
S-CPE2 Overlay 168.10.12.1 172.168.10.12 AC
Cloud V
R 168.10.12.1 172.168.11.12 AC
Service
F
Public IP eth0: Public IP eth1: Cloud 10.10.1.1 172.168.10.1 AC
10.10.10.1 10.10.11.1 Service
10.10.1.1 172.168.11.1 AC
Tunnel IP: Tunnel IP:
172.168.10.1 172.168.11.1 T-CPE (example)
PE1 PE2 Path Type Destination Hop By
S-CPE1 Underlay 168.10.11.* 10.168.10.2 Manual
MPLS PE7
PE3 PE4 PE6 168.10.11.* 10.168.11.2 Manual
PE5
Cloud 10.10.1.1 10.10.10.1 Manual
Service
10.10.1.1 10.10.11.1 Manual
Public IP: Public IP:
Public IP: Eth0: 10.168.10.2 Eth0: 10.168.10.3 SD-WAN Hub (example)
Eth1: 10.168.11.2 Eth1: 10.168.11.3
10.168.10.1 Path Type Destination Hop By
IP1: 172.168.10.11 IP1: 172.168.10.12 S-CPE1 Overlay 168.10.11.* 172.168.10.11 AC
T-CPE S-CPE1 IP2: 172.168.11.11 S-CPE2 IP2: 172.168.11.12 168.10.11.* 172.168.11.11 AC
T-CPE Underlay 168.10.10.* Eth0: 10.168.10.1 Manual
168.10.10.* Eth1: 10.168.10.1 Manual
168.10.10.1 168.10.11.1 168.10.12.1
Public IP 10.10.1.1 XXXXX AC

Routing Learning Method (2/3): BGP
Agile
Controller Type BGP peers BGP
Public IP Cloud DC configuration
10.10.1.1 SD-WAN Hub (S-CPE) Underlay S-CPE1PE4 PEPE Manual or AC
V S-CPE1PE5
Cloud
R S-CPE2PE6 Manual or AC
Service
F S-CPE2PE7
Public IP eth0: Public IP eth1:
10.10.10.1 10.10.11.1 T-CPEPE3 Manual
SD-WAN HubPE1 Manual or AC
172.168.10.1 172.168.11.1
SD-WAN HubPE2 Manual or AC
PE1 PE2
Overlay 172.168.10.11172.168.10.1 - AC
MPLS PE7 172.168.11.11172.168.11.1 - AC
PE3 PE4 PE6
PE5
172.168.10.12172.168.10.1 - AC
172.168.11.12172.168.11.1 - AC
Public IP: Public IP:
Public IP: Eth0: 10.168.10.2 Eth0: 10.168.10.3
10.168.10.1
Eth1: 10.168.11.2 Eth1: 10.168.11.3 If AC automatically configures BGP for underlay network,
IP1: 172.168.10.11 IP1: 172.168.10.12 information of PE must be configured in AC
T-CPE S-CPE1 IP2: 172.168.11.11 S-CPE2 IP2: 172.168.11.12
If all of CPEs run BGP with each other, the number of
168.10.10.1 168.10.11.1 168.10.12.1
BGP peers will be very big

Routing Learning Method (3/3): BGP and RR
× Type BGP peers BGP

configuration
RR(SD-WAN Hub) Underlay S-CPE1PE2 PERR Manual or AC
(PE)
S-CPE2PE3 Manual or AC
PE
PE1 RR(PE) T-CPE1PE4 Manual
T-CPE2PE5 Manual
MPLS SD-WAN HubPE Manual or AC
PE2 PE3 PE4 Overlay S-CPE1RR (SD-WAN Hub) - AC
PE5
S-CPE2RR (SD-WAN Hub) - AC
Solution Introduces RR (Route Reflector)

S-CPE1 S-CPE2 T-CPE1 T-CPE2 All of S-CPE directly build BGP peer with RR (SD-WAN Hub)
All of PE directly build BGP peer with RR (PE)
Overlay BGP peer SD-WAN Hub is as RR, or introducing a stand-alone device as RR
Underlay BGP peer

Decoupled Underlay and Overlay by SD-WAN Hub
Agile
Controller S-CPE does not need to configure
SD-WAN Hub underlay network routing
Public IP :
eth0:10.10.10.1 Agile controller does not need to add
eth1: 10.10.11.1 any configuration of underlay network
Tunnel IP:
IP1: 172.168.10.1 T-CPE does not need to configure
IP2: 172.168.11.1 overlay network routing
New building SD-WAN network does not
effect exist underlay network
MPLS
SD-WAN Hub connects underlay and
overlay network
S-CPE1T-CPE1 routing configuration
Public IP:
Public IP:
10.168.10.1 Path Type Destination Next Hop
Eth0: 10.168.10.2
T-CPE1 Eth1: 10.168.11.2 T- Overlay 168.10.*.* 172.168.10.1
Tunnel IP: CPE1
S-CPE1 168.10.*.* 172.168.11.1
IP1: 172.168.10.11
168.10.10.1 168.11.11.1 IP2: 172.168.11.11
T-CPE1S-CPE1 routing configuration
Path Type Destination Next Hop
Underlay network Overlay network
S- Underla 168.11.*.* 10.10.10.1
CPE1 y
Question: Where will SD-WAN Hub be deployed? HQ? 168.11.*.* 10.10.11.1

Summary
If underlay and overlay are not decoupled, when S-CPE and T-CPE
interconnected, S-CPE is used as T-CPE
 AC can not configure T-CPE (underlay network) and underlay network of S-CPE
 The change of S-CPE or T-CPE will effect each other
If underlay and overlay are decoupled, network topology is very simple
 The change of S-CPE or T-CPE do not effect each other
Huawei SD-WAN solution supports

 Hub-Spoke
 Full-mesh
• Site to Site directly interconnect
• Site to Hub directly interconnect
• SD-WAN site to traditional site directly interconnect, or interconnect through SD-WAN Hub
 Variable topology (manual)

Routing: Overlay and Underlay Interconnection (1/2)
Hub or HQ 168.10.10.0/24
① Creates a VRF for in each SD-WAN CPE
Traditional CPE VRF1 V V VRF0 (default)  VRF0(default) for Overlay network
R R
SD-WAN CPE F F  VRF1 for Underlay network
② Configure static IP policy between VRF0
Overlay VPN
and VRF1 in SD-WAN CPE
 If do not configure static IP policy between
VRF0 and VRF1 in SD-WAN CPE of
branch, the path is red, otherwise is blue
Local LAN IP of SD-WAN CPE only publish to VRF0
V V
VRF1 receives LAN IP of traditional CPE (site)
Branch
1 R
F
R
F
Support route-policy or filter-policy to filter the
172.10.10.0/24 VRF1 VRF0 (default) routes received and advertised between underlay
and overlay network
2 168.10.11.0/24
VRF1 can be created before delivering it to enterprise by SIer (ZTD process)

Static IP policy can be auto configured by AC

Routing: Overlay and Underlay Interconnection (2/2)
Hub or HQ 168.10.10.
0/24
Transit GW
2 V
VRF0 (default) ① Includes a CPE as transit GW in Hub
Traditional CPE
1 R
F or HQ
SD-WAN CPE
Overlay VPN  The transit GW connects to the interface

of VRF default (VRF0) in SD-WAN CPE
② Deploy dynamic routing protocols
between transit GW and SD-WAN CPE
V  OSPF/BGP/RIP
R Branch
F
172.10.10.0/24
168.10.11.0/24
AC can auto configure dynamic routing protocols between transit GW and SD-WAN CPE
Same as configuring LAN scenario

Flexible Internet GW
Agile
Controller
Public IP Cloud DC
10.10.1.1 SD-WAN Hub (S-CPE)
V
AC supports two type of Internet GW
Cloud ? R  Local Internet GW: S-CPE1 (Branch)
Service
F
Internet  Global Internet GW (Choice one of two):
 HQ: All Internet traffic of enterprise go
to HQ
PE2
PE1  SD-WAN Hub: All Internet traffic of
MPLS PE7 enterprise go to SD-WAN Hub
PE3 PE4 PE6
PE5
AC supports to flexibly configure
Internet Internet GW on branch, HQ or SD-WAN
Hub
Internet
T-CPE S-CPE1(Branch) S-CPE2 (HQ)
168.10.10.1 168.10.11.1 168.10.12.1

Flexible Internet Export by SD-WAN Web Portal
 AC will auto configure

NAT function on device
 The default setting of
Internet public IP is public
IP of device
Click device, and configure device

We can configure internet Hub policy of device
NULL
Local Internet GW
Global Internet GW
When set site as local Internet GW, the traffic of the site go to the Local Internet GW

Agenda

SD-WAN High Available(1/2): Network HA
Enterprise Switch
Active Standby 3 ① Equipment HA

VRRP
2* CPEs
2 Active-active
② Interface HA
1 Interface trunk
CPE 1
③ Underlay Link HA
CPE 2
Run VRRP between CPEs
Active-standby
4 ④ Overlay Link HA
SD-WAN application path policy
MPLS MPLS/Internet
(Guarantee) (Best Effort)

SD-WAN High Available (2/2): Agile Controller HA
Virtual IP
NBI
Active Standby  Nginx run KeepAlived
 Two Nginx are active-standby
Nginx Nginx mode
AC Clusters
If AC is failure, does not effect WAN network
AC AC AC ……
 LVS run KeepAlived

 Two LVS are active-
standby mode
LVS LVS
Active Standby
SBI
Virtual IP LVS: Linux Virtual Server

CPE Built-in FW, IPS and URL Filtering Function
FW
Internet  Security domain (ACL)
 Packet filtering firewall
 Application specific packet filter
CPE
(ASPF)
HQ
IPS
 Attack detection of 1200+ signature
databases, up to 90+% detection
rate of false positives
 Online database upgrade
CPE CPE URL Filter
 Accuracy: 96%
Branch 2  Fine-granular pre-defined
Branch 1
categories:130+

X86 Module for Deploying More Powerful Security Product
VM of Eudemon1000E-V
X86 Module X86 Module
Router Anti IPS URL IPSec
DDOS Filter VPN
DNS NAT ACL Anti- MPLS

SAE550 SAE220
Virus IP VPN
Processor: dual-core, 2.7 GHz Processor: dual-core, 1.1 GHz
Hard disk: 1TB; memory: 16 GB Hard disk: 1TB; memory: 4 GB File GRE
Fixed ports: 2*GE + 1*VGA + 2*USB Fixed ports: 2*GE + 1*VGA + 2*USB DHCP SLB OoS
Filter VPN
Hypervisor（KVM）
CPE: AR1220/AR2220 SAE220/SAE550

 Eudemon1000E-V
 Published in Interop in 2015
 Finished PoC with Japanese three carriers
 Commercial in Japanese carrier in 2016

WAN Acceleration Cooperation with Riverbed
AR+WAN
acceleration
Branch 1
HQ
SAE220
WAN
Branch 2
SAE550
SAE220
WAN acceleration (Riverbed) are deployed in X86 model of CPE

Transmission and data optimization between branch and HQ

Agenda

Huawei SD-WAN CPE Upgrades and Patches
Agile
1. Upgrade & Carrier Manager
Controller
Patch policy
AC supports to batch upgrade
2. Prepare version or patch CPEs
3. The Agile
Controller launches
or patch files Zero touch for upgrading and
upgrade & patch File server patching CPEs
instructions to CPEs Reboot CPE about 3 minutes
When CPE is being auto
4. The CPE obtain software
package/patch files from the rebooted, the service will be
file server. interrupted
It is better to upgrade CPE at
MPLS
midnight
5. The CPE is auto

rebooted when upgrade it
5. If patches, CPE does
nothing, and does not
Site Group 1 Site Group 2 affect service

SD-WAN CPE Upgrades and Patches Web Portal (Demo)
Choice CPE or
CPE group for
upgrading or
patching
Choice Choice
upgrading file patching file and
and version version
Download file
and Reboot CPE

Comprehensive and Detail Fault Information
There is detail fault processing guide
Fault Information (Part)
for each fault
Traffic policy Fault
For example, CPE dose not
Hardware Fault registered to AC
CPU Fault Traffic shaping Fault ZTD fault
QoS Fault
System Fault Telnet Fault Traffic congestion Fault
Waiting for Yes Is CPE
SSH Fault Security Fault ARP Security Fault rebooting being
finishing rebooting
F/W Fault
Interface Fault Eth-Trunk Fault
No
ACL Fault Is CPE
VLAN Fault No
LAN Fault being
NAT Fault
MAC Table Fault resetting
HA Fault Interface backup Fault Yes
WLAN Fault
Locate the problem
BFD Fault
PPPoE Fault according to the reset
WAN Fault information
VRRP Fault
3G Fault Yes
VPN Fault DSVPN Fault
IP & Routing Fault
Ping Fault Problem No For technical
GRE Fault solved? support
DHCP Fault
IPSec Fault Yes
RIP Fault
Application Fault DPI Fault End
OSPF Fault
App control Fault
BGP Fault Support to remotely process most faults
App quality Fault

SD-WAN Troubleshooting Processing
Alarms
Remote
processing Remote reboot
failure according CPE
to guide
Vendor or SIer
Execute ZTD
service
processing
processing

Agenda

SD-WAN Monitor and Visualization by Web-portal of AC
Home Site status
GIS Traffic (total)
TOPO Application number(total)
Overview
Network Network type and branch number
Site link quality statistics
site Top site traffic
Detail quality of each site Please see Web Portal (Demo)

Top applications traffic
Application Top applications quality
Quality of each application between sites
Top worst inter-site

Application traffic trend of MPLS or Internet
Inter-Site
Site to Headquarter
Link bandwidth usage trend of MPLS or Internet
Site to Site
Link quality trend of MPLS or Internet

SD-WAN Configuration by Web-portal of AC
VPN tunnel address pool Device Configuration
Configuration Link Link Configuration
Enable encryption / mode

Basic Configuration
Network URL Filter
Policy Configuration
Topology
LAN-side address pool LAN-side address pool
Hub topology Subnet size of a branch site
Network Configuration Site Topology

Hub Basic Configuration
Site Group Network Configuration
Policy Configuration
Site
Device
Site
Application category
Enable application quality check
QoS Policy
Policy Management Please see Web Portal (Demo)
Traffic Shaping
Bandwidth(MB)
Path Selection Policy
Security policy

SD-WAN Application Policy Principle
“Policy Management” set global

Hub Policy Management Sit Group
application policy to all sites,
Network Configuration Network Configuration It does not set policy of specific
application
 Application type:
Policy Configuration Entertainment Policy Configuration Only sets policy of application category
 Application category:
VoIP
“Hub or Site Group  Network
 Application type:
Entertainment
 Application type: Configuration  Policy Configuration”
Entertainment
 Application category : sets specific of specific application to
 Application category: VoIP
VoIP
 Application: MSN specific site or site group
 Application: MSN
It also sets policy of application for
source site and target site
When a conflict occurs between global
Hub Site 1 Site 2 Site 3
and site, policy of site is higher priority
Site Group 1 Site Group 2 then policy of global

Configuration  Network
 Network configuration is global, valid for
all sites
 VPN tunnel address is logical address for
overlay VPN, and address can not
conflict among LAN, WAN and VPN
tunnel
LAN: 192.168.1.0/24
LAN: 192.168.0.0/24
GE1/0/0: GE1/0/0:
10.168.1.10 10.168.1.11
VPN tunnel VPN tunnel
172.168.1.10 172.168.1.11
MPLS(B)
GE1/0/1: MPLS(G)
GE1/0/1:
10.128.1.10 10.128.1.11
VPN tunnel: VPN tunnel:
172.128.1.10 172.128.1.11
 Access control to web site, permit or

deny by URL filtering, and valid for all
sites

Configuration  Hub
 “LAN-side address pool”

CPE is as DHCP server
AC assign LAN address pool to DHCP server (CPE)
LAN address of CPE is assigned first IP address of
LAN address pool,
CPE
DHCP server: 192.168.0.0/16
192.168.0.1
192.168.0.1 192.168.1.1
 Enterprise can choice “Dual-gateway and

Dual-link” to deploy two CPEs for HA

Configuration  Site group
 Site group is a set of site the

following same properties
LAN-side address
Topology
Device type
Link configuration
 “Subnet size of a branch site”

To set number of hosts of site
 When do you create a new site,

you can choice a site group, and
the new site will inherit properties
of a site group

Configuration  Site
 The most important thing is to send a

email to engineer of branch
 The email includes the following content:

 To install your huawei SD-WAN router, please
follow these steps:
 1.Connect your device to power and WAN
interface cables(e.g. eth0 to mpls;eth1 to internet)
 2.If device with WIFI, find and connect to the
WIFI network that looks like “ huawei-” followed
by device ESN numbers with the password
“Admin@huawei”, else or connect to one of the
LAN interface.
 3.Click the following like to login your device with
username= “admin”and password =
“Admin@huawei”
• http//192.168.0.1?ac-ip=10.11.11.1&ac-
port=12345

Configuration  Policy Management
Enable? Yes, it will
monitor quality of app
Set QoS priority of app, four level QoS

 Highest, High, Medium, Low
 Currently, Only support application

path policy according to quality of link

Configuration  Policy Management (Summary)

Agenda

Monitor and Visualization: Topology and Sites Overview
1 ① E2E Topology Visualization

② Site Information
3
 Health status
2
 Link Quality
 Applications quantity
 Bandwidth usage
 CPE status
③ Link Quality

Monitor and Visualization: Sites (1/2)

Monitor and Visualization: Sites (2/2)

Monitor and Visualization: Inter-Site (1/2)

Monitor and Visualization: Inter-Site (2/2)

Monitor and Visualization: Site1Site2 Overview (1/2)

Monitor and Visualization: Site1Site2 Overview (2/2)

Monitor and Visualization: Site1Site2 Link (1/2)

Monitor and Visualization: Site1Site2 Link (2/2)

Monitor and Visualization: Site1Site2 Application (1/3)

For Example: Throughput of Facebook between site1 and site2

For Example: AQM of Facebook between site1 and site2
For Example: Quality of Facebook between site1 and site2

Monitor and Visualization: Application Overview (1/4)




Monitor and Visualization: Specific Application (Site to Site)
(1/3)

(2/3)

(3/3)
Who access Facebook?

Monitor and Visualization: Visitor Overview (1/2)

Monitor and Visualization: Visitor Overview (2/2)

Application Smart Policy (1/2)

Application Smart Policy (2/2)

Zero Touch Deployment and Overlay VPN (1/2)
Global configuration for the whole of enterprise network

Zero Touch Deployment and Overlay VPN (2/2)
Offline Design and Configure E2E
SD-WAN Network by AC
Enterprise staff only need to
plug cable and power on CPE

Thank you
www.huawei.com
Copyright©2015 Huawei Technologies Co., Ltd. All Rights Reserved.

The information in this document may contain predictive statements including, without limitation, statements regarding the future financial
and operating results, future product portfolio, new technology, etc. There are a number of factors that could cause actual results and
developments to differ materially from those expressed or implied in the predictive statements. Therefore, such information is provided for
reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time without notice.

Huawei SD-WAN Solution For Technical Training 2017Q1 V1.0

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Huawei SD-WAN Solution For Technical Training 2017Q1 V1.0

Загружено:

Авторское право:

Доступные форматы

Huawei SD-WAN Solution for

Technical Training 2017Q1 V1.0

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential

HUAWEI TECHNOLOGIES CO., LTD. Page 2

3 ① SD-WAN is a subset of CloudVPN

HUAWEI TECHNOLOGIES CO., LTD. Page 3

HUAWEI TECHNOLOGIES CO., LTD. Page 4

SD-WAN Every thing is visible

HUAWEI TECHNOLOGIES CO., LTD. Page 5

SD-WAN Every thing is set by web portal

Branch 1 Branch 2 HQ We can provide more controllable functions

HUAWEI TECHNOLOGIES CO., LTD. Page 6

HUAWEI TECHNOLOGIES CO., LTD. Page 7

AC (Agile Controller) Agile Controller can provide SD-WAN

HUAWEI TECHNOLOGIES CO., LTD. Page 8

Cloud Service Based-on SD-WAN Cross-national enterprise SD-WAN network

CPE CPE MPLS CPE

HUAWEI TECHNOLOGIES CO., LTD. Page 9

HUAWEI TECHNOLOGIES CO., LTD. Page 10

Control Domain X（Visible Topo for Tenant X）

Site1 Control Domain Y（Visible Topo for Tenant Y）

HUAWEI TECHNOLOGIES CO., LTD. Page 11

Branch internet internet

Branch Branch Branch

Site to Site Site to DC Site to Internet

HUAWEI TECHNOLOGIES CO., LTD. Page 12

Enterprise Enterprise WAN 1 WAN 2 WAN 2

CPE CPE CPE CPE

WAN WAN 1 WAN 2 WAN 2

1. single link singe CPE 1. Single HQ/DC（Hub）

Site Topology Hub Site Topology

HUAWEI TECHNOLOGIES CO., LTD. Page 13

Direct to hosts Direct to LSW Dynamic

HUAWEI TECHNOLOGIES CO., LTD. Page 14

1. Standard CPE Branch Branch

L2/L3 Leased Line

HUAWEI TECHNOLOGIES CO., LTD. Page 15

Guaranteed Best effort Wireless

 Overlay VPN can be built or changed on-demand on two MPLS links

HUAWEI TECHNOLOGIES CO., LTD. Page 16

CPE Specification Understanding App Monitoring Understanding

ASPF: application specific packet filter

HUAWEI TECHNOLOGIES CO., LTD. Page 17

App Control Understanding App Redundancy Understanding

HUAWEI TECHNOLOGIES CO., LTD. Page 18

HUAWEI TECHNOLOGIES CO., LTD. Page 19

SD-WAN portal Architecture is simple

HUAWEI TECHNOLOGIES CO., LTD. Page 20

HUAWEI TECHNOLOGIES CO., LTD. Page 21

HUAWEI TECHNOLOGIES CO., LTD. Page 22

HUAWEI TECHNOLOGIES CO., LTD. Page 23

DHCP Server DHCP Server

Branch 1 Branch 2 Branch 1 Branch 2 Branch 1 Branch 2

Agile Controller is deployed in public internet, and belong to SP

HUAWEI TECHNOLOGIES CO., LTD. Page 24

HUAWEI TECHNOLOGIES CO., LTD. Page 25

HUAWEI TECHNOLOGIES CO., LTD. Page 26

Step 1 CPE (Branch) DHCP AC Internet CPE (HQ)

MPLS port IP address: 10.168.1.10

Register to AC with ESN

Send configuration file

Build Overlay VPN on MPLS link (10.168.1.10)

HUAWEI TECHNOLOGIES CO., LTD. Page 27