1. Features Guide
  2. Release 9.0 Features
  3. SD-WAN Edge Configuration
  4. Configuration Modes
  5. Global
  6. SD-WAN Edge Network Settings

SD-WAN Edge Network Settings

SD-WAN Edge Network Settings allows for the configuration of global parameters that impact the operation of the entire SD-WAN Edge network. These settings may impact the way individual Site settings are interpreted or applied.

Global Security Settings

Network Encryption Mode: Defines the algorithm used for all encrypted Paths in the SD-WAN Edge network. This setting does not apply to non-encrypted Paths. When changing this setting, the Secure Key for Sites in the SD-WAN Edge network may be modified.

  • When changing to AES 128-Bit, keys longer than 16 characters will be truncated to 16 characters.
  • When changing to AES 256-Bit, keys shorter than 16 characters will be regenerated as 32 characters.

Enable Encryption Key Rotation: If enabled, Encryption Keys will be regenerated for every Conduit with encryption enabled using an Elliptic Curve Diffie-Hellman key exchange at intervals of 10 - 15 minutes.

Enable Extended Packet Encryption Header: If enabled, a 16 byte, randomly seeded counter will be prepended to the beginning of every encrypted message. When encrypted, this counter will serve as a random Initialization Vector, deterministic only with the encryption key. This will randomize the output of encryption, providing strong message indistinguishability. Note, when enabled, this option will increase packet overhead by 16 bytes.

Enable Extended Packet Authentication Trailer: If enabled, an authentication code will be appended to the end of every encrypted message. This trailer allows for the verification that packets are not modified in transit. Note, when enabled, this option will increase packet overhead

Extended Packet Authentication Trailer Type: The type trailer to include in encrypted messages

WARNING: Using SHA-256 may significantly impact network performance.

  • 32-Bit Checksum: A 4 byte value calculated by computing the ones-complement checksum of the encrypted packet's contents.
  • SHA-256: A 16 byte value calculated using SHA-256 over the encrypted packets contents.

Global Firewall Settings

Global Firewall Settings allows for the configuration of global parameters that impact the operation of the Firewall on individual SD-WAN Edge.

Global Policy Template: A Firewall Policy template to be applied to all SD-WAN Edge in the network.

Default Firewall Action:

  • Allow: Packets not matching any filter policy is permitted.
  • Drop: Packets not matching any filter policy is dropped.

Default Connection State Tracking: Click the checkbox to enable bidirectional connection state tracking for TCP, UDP and ICMP flows that do not match a filter policy or NAT rule. Asymmetric flows will be blocked when this is enabled even when there are no Firewall policies defined. The settings may be defined at the site level which will override the global setting. If there is the possibility of asymmetric flows at a site, the recommendation is to enable this at a site or policy level and not globally. For conduit to conduit TCP flows, sequence window check is ignored. The recommendation is to enable this at both end sites.

Global Path Bandwidth Testing Settings

Global Path Bandwidth Testing Settings allows for the configuration of global parameters that impacts path bandwidth testing operations on individual SD-WAN Edge.

Path Bandwidth Test Time (ms): The maximum length of time that each packet bandwidth burst test will last in ms. The minimum value is 20ms and maximum value is 10000ms. For each bandwidth test, if the configured time is 5 seconds or less, the test will be run 10 times to get the final test result. If the configured time is greater than 5 seconds, the test will be run 5 times to get the final test result.

WARNING: Setting test time to be more than 200ms may cause path to go bad and impact normal user traffic.

Cloud Security Settings

Cloud Security Settings allows for the configuration of global parameters that impact the operation of the Cloud service of the entire SD-WAN Edge network. These settings may impact the way individual Site settings are interpreted or applied.

Network Encryption Mode: Defines the algorithm used for all encrypted Paths in the SD-WAN Edge network. This setting does not apply to non-encrypted Paths. When changing this setting, the Secure Key for Sites in the SD-WAN Edge network may be modified.

  • When changing to AES 128-Bit, keys longer than 16 characters will be truncated to 16 characters.
  • When changing to AES 256-Bit, keys shorter than 16 characters will be regenerated as 32 characters.

Enable Encryption Key Rotation: If enabled, Encryption Keys will be regenerated for every Conduit with encryption enabled using an Elliptic Curve Diffie-Hellman key exchange at intervals of 10 - 15 minutes.

Enable Extended Packet Encryption Header: If enabled, a 16 byte, randomly seeded counter will be prepended to the beginning of every encrypted message. When encrypted, this counter will serve as a random Initialization Vector, deterministic only with the encryption key. This will randomize the output of encryption, providing strong message indistinguishability. Note, when enabled, this option will increase packet overhead by 16 bytes.

Enable Extended Packet Authentication Trailer: If enabled, an authentication code will be appended to the end of every encrypted message. This trailer allows for the verification that packets are not modified in transit. Note, when enabled, this option will increase packet overhead

Extended Packet Authentication Trailer Type: The type trailer to include in encrypted messages

WARNING: Using SHA-256 may significantly impact network performance.

  • 32-Bit Checksum: A 4 byte value calculated by computing the ones-complement checksum of the encrypted packet's contents.
  • SHA-256: A 16 byte value calculated using SHA-256 over the encrypted packets contents.

Cloud Services

This allows for the settings of a service provider's cloud server. It is normally provided as a json file and imported by using the "Import Cloud Config..." button.

  • Service Name - This is the name of the cloud service.
  • Subscriber - This is the subscriber to the service provider's cloud service.
  • SD-WAN Edge Network ID - This is the subscriber's SD-WAN Edge network ID.
  • IP/Domain - This is the public IP or domain of the cloud service.
  • Port 1 / 2 - These are the UDP public port numbers of the cloud service for data traffic.
  • Mgt IP/Domain - This is the management IP or domain of the cloud service. It is also used for REST API communication. If it is not specified, the cloud service IP/Domain is used.
  • Mgt Port - This is the management port of the cloud service.
  • Network BW Limit - This is the bandwidth(Kbps) limit of the network.
  • Per Site BW Limit - This is the bandwidth(Kbps) limit of each site's Cloud Service and applies to each of its egress and ingress separately.
  • Max Number of Sites - The limit of sites that can connect to this Cloud Service.
  • Cloud Service BW Limit - The total bandwidth(Kbps) limit for the cloud service in the network.
  • Service Provider Provided Shared Key - This is the pre-shared key provided by the service provider for Rest API authentication.
  • Subscriber Generated Secure Key - This is the subscriber secure hexadecimal key used for encryption and membership verification in the SD-WAN Edge network.

Routing Domains

Routing domains are networked systems that include a set of routers that are used to segment network traffic. New Sites are automatically associated with the default Routing Domain.

Application Categories

Application Categories provide a list of Oracle predefined categories which the user can add, delete, or edit. The application categories are used on the application dashboard to view top categories from a usage perspective. The user can add new Categories to be used in User-Defined Applications. The column In Oracle Preset shows if the Category is Pre-Defined (checked) or User-Defined. An Application Category can be used as a match criteria in Application Policy, which effectively includes all Applications that have this Category attribute as the match.

User Defined Applications

Please see Oracle Defined Applications

Oracle Defined Applications

An Application has a set of one or more match criteria which are described below. As new flows arrive, they can be tagged as belonging to a specific application. Only the first match will apply to any given flow, so applications should be ordered in a way that the most specific, and/or most desired match is higher in the list (lower index) so that it matches before wider catch-all matches. The Oracle pre-defined list is structured in this manner.

Once a packet has been classified, the application identifier can be used either on a rule or firewall filter as a possible match criteria to handle this type of traffic. User Defined Applications provide the ability for the user to define custom applications. The user defined applications take precedence over the Oracle Pre-defined application list.

Applications are a convenient way to manage large complex combinations of match criteria, or managing large numbers of rules, or policies where match criteria may change. These changes can then be made to the application without having to go find each rule or policy where they may have been used.

The options include:

  • Priority: The order/precedence in which policy will be applied, lower numbered policies are applied first.
  • Name: The customer defined name for the application.
  • Category: The Application Category this application belongs to. If no Category is selected, the application is assigned to the Other category.
  • Enable: Check to enable the application as a match criteria for Application Policies, Rules, and Firewall Policies.
  • Classification: When an application policy steers traffic to a conduit the classification option provides the pre-defined QoS rules associated with the Application. These will map to the standard Oracle SD-WAN Classes and Rules - Real-Time, Interactive or Bulk as shown in the following table. The priority level are straightforward with P1 being the highest priority in a Class and serviced first from a traffic perspective.
Application Classification Default Rule Used Class of Service
realtime_p1 Default_EF Real-Time 10
realtime_p2 Default_UDP Real-Time 10
interactive_p1 Default_ICMP Interactive 11
interactive_p2 Default_ssh Interactive 12
interactive_p3 Default_HTTP Interactive 14
interactive_p4 Default_Telnet Interactive 12
bulk_p1 Default_CIFS Bulk 15
bulk_p2 Default_FTP Bulk 16
  • Response Time Normal: The application Dashboard provides the user with the Health of an application. The health is calculated when the Probing Interval is defined (Basic timeframe seconds) and is compared to default values for Normal and Warning. When defining an application, the user can use the default values or configure these values. These are applied at the global level. when the application is used in an application policy and applied to multiple sites this response time is applied for the application to all source sites defined. Additionally, there is the option to change these values at the site level if required. In the configuration go to the site and select Basic Settings. If configured at a site level the values are added together for the site.
  • Response Time Warning: The application Dashboard provides the user with the Health of an application. The health is calculated when the Probing Interval is defined (Basic timeframe seconds) and is compared to default values for Normal and Warning. When defining an application, the user can use the default values or configure these values. These are applied at the global level. when the application is used in an application policy and applied to multiple sites this response time is applied for the application to all source sites defined. Additionally, there is the option to change these values at the site level if required. In the configuration go to the site and select Basic Settings. If configured at a site level the values are added together for the site.
  • Probing Interval: To probe an application for health checking purposes define a timeframe for the probe to be sent. The system will establsh a TCP session with the domain and calculate the response time and then close the TCP session. The Health of an application is displayed on the application Dashboard.
  • Application Match Criteria: Allows the user to define a method to match an application, either a 5 tuple or a Domain Name. When Domain Name is selected as Match, the user is required to enter a domain name which will then be matched by either DNS Proxy or DNS snooping.
  • Port – When only 1 port number is specified, this port must match either the source and destination port in the packet
  • Port – When one port range is specified, i.e 20-21, either the source or destination port must fall into this range.
  • Ports – When 2 port numbers are specified, each port number must match at least the source port and the other match the destination port of in the packet.
  • Ports – When 2 port ranges are specified, source port in the packet must fall in one range and the destination port in the packet must fall in the other range.
  • Network IP Address 1 – When only 1 IP address and mask is specified, this address needs match either the source and destination IP address in the packet.
  • Network IP address 2 – When both IP addresses and masks are specified, both addresses must match source and destination IP addresses in the packet.
  • DSCP match a specific DSCP value

Note: If a single port or network IP address is defined the system will check the source and destination for a match:

The user also has the abilty to edit, delete, or clone application if required.

Application Policies

An application policy provides the user the ability to select a defined (Oracle defined or user defined) application (or category) and steer the application to a Oracle service. This provides the ability for users to steer certain applications to the local Internet service, while hair-pinning others as needed. The configuration of a policy requires certain properties which will be defined below in detail. Once the policy is defined and the configuration activated the SD-WAN Edge will use DNS snooping (disabled by default) to match the Domain Name defined for the application matching. Once a match is found the application will be steered to the defined service as long as the service is available. If the service is down the routing table is used to forward the packets to their destination.

Application policies - allows the user to view defined policies with configured attributes. This view just displays based on the defined application name, not the underlying application. It also provides the destination service and classification for the application name.

Configuration Properties for Adding an Application Policy:

  • Priority: The order/precedence in which policies will be applied, low numbered policies applied first.
  • Name(application): The name of the application policy which will be used to display the policy.
  • Enable: When selected the system will look to match on the parameters define for the application - 5 tuple, or dns matching domain name. If a domain name is defined and this is the first policy configured DNS snooping will be enabled for all SD-WAN Edge the policy applies to.
  • Dest Site: This is the destination site for the policy, the destination site could be a site the application is sent to. The dest site could be a site name and combined with a service to achieve hair-pinning the INTERNET service at the SD-WAN Controller as an example. The destination site could also be the local option, where the user defines the local INTERNET service which must be available at the site to steer traffic to.
  • Dest Service Type: The service type is an available Oracle service. The service must be available at the (dest) site otherwise the user will receive a warning during the configuration process, this can be an issue when selecting a site group for the dest site. Available service types will include: INTERNET , INTRANET.
  • Dest Service Name: If a service is enabled at a site and multiple services can be supported then each service must have a unique name. Multiple service names can be listed for the user to choose from. The user must select the correct service name for application steering to work properly.
  • Classification: When an application policy steers traffic to a conduit the classification option provides the pre-defined QOS rules associated with the application. The default Application Classification can be used or the user can select from a pre-defined list of Classifications to override the value defined for the Application. These will map to the standard Oracle classes and rules - Real-time, Interactive or Bulk.
  • Application Category Match: Each Pre-Defined and User-Defined application map to a category. If preferred the user can select a category (group of applications) and steer the category to a service.
  • Application Match: select a specific application and steer it to a service.
  • Source Network Match: The user can define source group address prefixes and the use them as a source match for the application policy. They must first be configured under the "Source Group objects" tab.
  • Site Group Match:This is the destination site the policy will be applied to. The options will include all client sites, SD-WAN Controller sites or used defined sites. This allows the user as much flexibility as possible when assigning policies to sites. This can be accomplished at the group level or site level. The dest could also be a site name and combined with a service to achieve hair-pinning the INTERNET service at the SD-WAN Controller. The application policy is then applied to all sites in the defined site group.
  • Site Match: This option is used when the user require a single source site match for a policy. If the user has a single site with unique services this option can be selected for the specific site. The application policy is then only applied to that site.

Site Group Objects

Site group Objects: The Site group options allows the user to group sites together for use in the application policy. By default there are default groups for - all client(branch) sites, SD-WAN Controller based sites and all sites. If the user needs any other groupings they have the ability to create them as needed.

NOTE: Global Firewall options can be configured in the Global SD-WAN Edge Network Settings section.

Firewall

Firewall allows users to configure global firewall objects, including defining Zones and Firewall Policy Templates.

NOTE: Global Firewall options can be configured in the Global SD-WAN Edge Network Settings section.

Zones

Zones define a logical security grouping of networks connected to the SD-WAN Edge network. Zones can be applied to Virtual Interfaces, Intranet Services, LAN GRE Tunnels and LAN IPsec Tunnels. Intranet Services automatically determine a Zone based on the configuration. Three Zones are automatically defined and always present in the SD-WAN Edge network:

  • Default_LAN_Zone: This Zone is applied to Virtual Interfaces, Intranet Services, LAN GRE Tunnels and LAN IPsec Tunnels if no Zone is specifically configured.
  • Internet_Zone: This Zone is applied to Internet Services that do not have a usage for a WAN Link on an untrusted interface.
  • Untursted_Internet_Zone: This Zone is applied to Internet Services that have at least one usage for a WAN Link on an untrusted interface.

Firewall Policy Templates

Firewall Policy Templates can be used to simplify the Firewall configuration for similar sites within the SD-WAN Edge network or for all Sites simultaneously. Each Site can have zero or more Templates applied allowing the Site to share Firewall roles in the network. Under the Global SD-WAN Edge Network Settings, a single Template can be applied for all Sites simultaneously.

Polices from the Templates will be applied at each Site in the following order:

  • Pre-Policies from Templates configured in Firewall Settings according to the order of the templates.
  • Pre-Policies from the Global Template configured in SD-WAN Edge Network Settings.
  • Policies configured at the Site.
  • Policies automatically created to support NAT or Port Forwarding policies for the Site.
  • Post-Policies from Templates configured in Firewall Settings according to the order of the templates.
  • Post-Policies from the Global Template configured in SD-WAN Edge Network Settings.

Network Objects

Named groups of network elements that allow network administrators to more efficiently manage network configurations.

DHCP Option Sets

DHCP Option sets are a group of DHCP Options or Parameters that can be applied to individual IP Address ranges or a single host.

Options

These are different options that can be configured and sent to DHCP clients.

  • Option Name : Select the DHCP option that needs to be configured.
  • Option Number : Enter the option number(224 - 254) for Custom option. This field is pre-configured for well known options.
  • Data Type : Select the data type for the value field for Custom option. This field is pre-configured for well known options
  • Value: Enter the value for the selected option.

QoS Policies

A QoS Policy defines a global set of Conduit, Cloud Service, Internet and Intranet QoS Policies that can be applied in the SD-WAN Edge network. In addition to these QoS Policies, a Site may override or add to definitions contained in the QoS Policy.

Conduit QoS Policies

A Conduit QoS Policy defines a global set of Classes and Rules that can be applied to any Conduit Service in the SD-WAN Edge network. The Conduit QoS Policy allows the user to define a Conduit's Rules and Classes and then apply them in the Conduit Service. This allows the Classes and Rules to be declared and audited in one central location. In addition to the Rules defined in the Conduit QoS Policy, a Conduit Service may add to the definitions contained in the Conduit QoS Policy.

Classes (Realtime, Interactive, Bulk)

These are tools that the user can employ to classify a specific type of traffic on the Conduit and then apply Rules as to how that traffic is handled. Conduit traffic is scheduled according to its Class type and parameters. Traffic is assigned to a specific class using the Class Identifier parameter within the Rules. Each Conduit Service can have up to sixteen Classes of Service. Class Identifier does not necessarily imply scheduling priority: although an intuitive convention may be to have Class priority decrease with increasing number, e.g., Class 0 has highest priority and Class 9 has lowest priority, though this is not necessary. When a Conduit QoS Policy is applied to Conduit Service, the Classes can only be edited from the scope of the Conduit QoS Policy. If there is a need to edit Classes at the Conduit Service when a Conduit QoS Policy is applied, then the Unlink Classes from QoS Policy button can be checked in the Basic Settings of Conduit Service at Connections tab. Please see more details for this button at that section

The sixteen Classes of Services supported the SD-WAN Edge network are condensed to four Classes at the path level (in descending order of priority).

The scheduler allocates the highest priority to the Reserved Class and the lowest priority to the Bulk Class. The Reserved Class is not visible to the user as it is reserved for SD-WAN Edge use only. The remaining three Classes can be mapped to any of the sixteen Classes of Service, which are configured by the user.

Initial and Sustained columns are used to describe the parameters for Realtime and Interactive traffic.

The Initial Period is the duration in milliseconds that the Class will apply the Initial Rate for the Realtime Class flows or the Initial Share for the Interactive Class flows. The Sustained Rate and Sustained Share are used to limit the flow after the Initial Period has ended.

The SD-WAN Edge Class supports three types:

  • Realtime Class

Best used for low latency, low bandwidth, time-sensitive traffic. Applications that are time sensitive but don't really need high bandwidth, such as voice over IP networks, can be categorized as Realtime. These applications are very sensitive to latency and jitter, but may tolerate some loss. Sometimes it is better to lose a few packets but not so many that it causes distortion. Realtime Classes provide a per-packet drop policy if the Conduit Class queue depth exceeds an estimated queue time. Small Packet Max Delay and Large Packet Max Delay parameters are used to configure the queue depth.

The Guaranteed Rate is based on the parameters set for the Realtime Class. The scheduler guarantees the Initial Rate and the Sustained Rate configured by the user. The Initial Rate determines how fast the packets can get out of the queue in a given period of time, called Initial Period. After the Initial Period is over, the Sustained Rate determines the rate at which the packets leave the Conduit. Typically initial rate and sustained rates are set to 50% of the Conduit bandwidth.

When in contention, Realtime Class will receive guaranteed rate plus a small percentage of the available bandwidth, which is shared with the remaining two Classes; Interactive and Bulk.

  • Interactive Class

Best used for interactive traffic with low to medium latency requirements and low to medium bandwidth requirements. These applications typically have a server-client relationship; they involve human input in the form of mouse clicks or cursor moves from the client side and display graphics sent from the server to the client. Although client to server communication may not need high bandwidth, it is sensitive to loss and latency. Similarly, communication in the direction of server to client may not be sensitive to loss but does need high bandwidth to transfer graphical information. Examples include: Interactive Video, Remote Desktop, SSH, HTTPS, CICS, SQL, and VNC. Interactive Classes provide a per-packet drop policy if the queue depth exceeds a user configured byte count threshold, and the estimated time a packet will be pending to the Conduit in its Class queue exceeds a user configured time duration (in milliseconds). Small Packet Max Delay and Large Packet Max Delay parameters are used to configure the queue depth.

The Sustained Share (%) (m2) bandwidth remaining after the Realtime traffic has been serviced is available for Interactive Class to be used on a fair share basis. In order to service Interactive Class packets that are starved due to Realtime Class, the parameter Initial Share (%) (m1) determines the rate at which these packets will be serviced quickly during a given time, called the Initial period (x1). Typically, Initial Period (x1) is set at 20ms. The Sustained Share (m2), determines the rate at which these packets are serviced after the initial period is complete.

  • Bulk Class

Best used for high bandwidth but high-latency tolerant traffic. Applications that handle file transfer and need high bandwidth are categorized as Bulk Class. Such applications are not very sensitive to loss or latency. Typically TCP will retransmit lost packets, but this will also cause too many retransmissions, thereby affecting application performance. These applications involve very little human interference and are mostly handled by the systems themselves. Examples of Bulk applications include FTP, TFTP, CIFS, and rsync. Bulk Classes provide a per-packet drop policy if the Conduit Class queue depth exceeds an estimated queue byte count. The Delay Min Depth parameter can be used to configure the queue depth.

The Sustaining Share (%) bandwidth remaining after Realtime and Interactive has been serviced is available for Bulk Class to be used on a fair share basis. These packets get serviced last and they do not receive initial share percentage like Interactive Class. However, this Class does share the remaining bandwidth with the Interactive Class on a fair share basis. The parameter Bulk Share (m2, in percentage) determines the remaining Conduit bandwidth the Bulk Class will receive. Typically, Interactive Class gets a higher share than bulk.

NOTE: When not in contention, the Classes will be serviced at Conduit Rate.

Conduit/Conduit QoS Policy/Cloud Service QoS Policy Rules

Rules are shown as a list view on this screen, organized by their relative Order and shown with their match criteria in the table. Rules are checked and matched for the current service in the order shown in the table.

Rules that share an MOS Groups Name may be monitored collectively in Reports or Graphs, if Track Performance option is enabled.

Note: Use MOS Groups section to define new MOS Group Name

Clicking the Clone button will insert a copy of the selected rule at the end of the list. After the rule shows and all the information are added to the rule, when apply the changes, the table will be renumbered back to hundred numbers, in the same order. For example if the order number is 100 and 200 and a new rule is added as order number 150, after the apply the order numbers will be: 100, 200, 300. The new rule with order 150 is now 200 and the order 200 becomes order 300.

Once the rule is defined for matching criteria the user can set rule specific properties by selecting the () option.

The rule options are consistent for any rule defined in the system. Once open the user can set the following:

Initialize Properties Using Protocol

  • WAN General
  • WAN Ingress
  • WAN Egress
  • Deep Packet Inspection

These options are describe in the following section and are set for each rule defined. The user only has to select options that pertain to the specific rule.

Initialize Properties Using Protocol button will fill the Rule properties using recommended settings for this protocol after a protocol is selected.

WAN General

The WAN General tab provides the user with the ability to configure general operations on the flows matching this rule. These include the following types of operations:

  • Load balancing: Traffic for the flow will be balanced across multiple paths for this service. Aggregate all the paths for the flows. With this option configured, packets are sent across the best path until it is completely used. The remaining packets are then sent across the next best path.
  • Duplicate paths: Traffic for the flow will be duplicated across multiple paths for this flow to increase reliability.
  • Persistent paths: Traffic for the flow will remain on the same path. Maintain the same path for the flows if possible. This only changes when the path is not available.
  • Preferred WAN Link: Traffic for the flow will prefer paths using this WAN link. This only applies when transmit mode is set to persistent path and for rules specific to a conduit.
  • Persistent Impedance(ms): Traffic for the flow will stay on one path until the wait time is longer than the configured value. This only applies when transmit mode is set to persistent path.
  • Override services: Traffic for the flow will override to a different service. In the case of a Conduit, it could override to Intranet, Internet, Pass-through, or Discard. For an Intranet Service, it can override to Internet, Pass-through, or Discard. For an Internet Service, it can override to Intranet, Pass-through or Discard. This feature allows you to select the destination service that the flows should go to, if enabled. In other words, this allows you to drop traffic out of the Conduit.
  • Retransmit Lost Packets: The SD-WAN Edge will re-transmit any frames lost the in the cloud.
  • TCP Termination: Traffic for this flow will be TCP terminated locally to improve throughput, reducing the round-trip times for acknowledgement packets. This functionality allows you to extend the end station TCP windows for high latency and high bandwidth networks.
  • WAN Optimization: Traffic for this flow will be cached and De-Duplicated locally to improve throughput, reducing the amount of traffic sent over the WAN.
  • Header Compression: Headers on this flow will be compressed to improve throughput. Support for IP,TCP and UDP as well as GRE frames can be enabled.
  • Packet Aggregation: Small packets on this flow will be aggregated together into larger packets to improve throughput and reduce the impact of the headers on the bandwidth usage.
  • Track Performance: If enabled, performance of a rule over time will be recorded in a session DB. Recorded attributes are loss, latency, jitter and bandwidth used.
Conduit/Advanced Settings - Conduit Class Policing Threshold Settings

In general the default settings should be accepted for these parameters but under some circumstances it may be appropriate to use these tuning settings.

These thresholds indicate the maximum queue depth of packets and data pending for a class within a conduit.

Entry should be set as the maximum latency difference anticipated between WAN paths with additional allocation + additional margin for occasional bursts.

  • Enable Policing Action When checked, policing action will be taken when traffic passes threshold. Default is disabled.
  • Entry (Higher) Threshold in ms When packet and latency exceeds this threshold, the classes will have more aggressive policing until the congestion is mitigated. The default value is 200ms. Set to 0ms to disable events raised with policing state transition.
  • Exit (Lower) Threshold percentage The percentage of the entry threshold below which the policy will no longer be enforced. The default value is 20%
  • Average Packet Size in bytes An estimate of the anticipated packet sizes to be use for policing. For voice intensive use cases, this should be lower. For bulk traffic use cases it should be set high. The default value is 750 bytes.

Why would these ever need to be set:

If you have eligibility disabled on WAN links that have substantial capacity relative to the conduit.

If you have very high latency WAN links, such as satellite combined with low latency network where the difference is above the default setting. For example: Satellite path is 450ms combined with a 20ms wireline path. In this case the max threshold should be set to 450-20=430, plus an addition 40 ms for bursts, resulting in 470ms.

WAN Ingress

The WAN Ingress section provides the user with the ability to configure WAN Ingress behavior for this rule on the matching flow data. These properties are related to setting or reassigning the Class of WAN Ingress packets and controlling duplication and dropping packets due to queue depth values.

  • Class: The Class that is to service traffic flows that match this Rule. The default value is Class 9.
  • Large Packet Size: Packets destined for this Class which are larger than or equal to this size will follow large packet drop policy. Packets which are smaller than this size will follow small packet drop policy. If this size is set to 0, all packets will be treated as small packets.
  • Drop limit: The maximum amount of estimated time that packets smaller than the Large Packet Size will have to wait in the Class scheduler. If the estimated time exceeds this threshold, the packet will be discarded and statistics will be counted. Not valid for Bulk Classes.
  • Drop Depth: If the queue depth exceeds this threshold, the packet will be discarded and statistics will be counted.

NOTE: Either value Drop Limit or Drop Depth will allow a frame to be dropped.

  • Enable RED: Random Early Detection (RED) will help promote the fair sharing of Class resources by judiciously discarding packets as worsening congestion is encountered. Works best with protocols/applications that back off when they detect loss, like TCP.
  • Reassign Size: This is used to define a packet length. When exceeded, a flow will be reassigned to a different Class defined by the Reassign Class id.
  • Reassign Class: This Class is used when the packets in a given flow exceed a defined length. If the default option is selected, packets will not be assigned to an alternate class based on packet size, and will continue to be mapped to the class specified in the "General" section.
  • Duplicate Packets: Values used to determine when to not duplicate a flow
  • TCP Standalone ACK Class: Allows the responding TCP Standalone ACK's to be mapped to a higher priority Class when a large file transfer is taking place. Used to improve performance of a file transfer. If the default option is selected, TCP Standalone ACK's will continue to be mapped to the class specified in the "General" section.
WAN Egress

The WAN Egress section provides the user with the ability to set rule properties controlling operations to packets received via the WAN Egress - DSCP tagging and packet resequencing operations.

  • Re-sequence Packets: Simply means that it puts the packets back in order at the destination.
  • Re-sequence Hold Time: Amount of time a packet can be held for re-sequencing before being sent to the LAN.
  • Discard Late Re-sequence Packets: If an out-of-order packet arrives late and the dependent packet has already been sent to the LAN, then discard it.
  • DSCP Tag: Remark packets in a given flow with a new DSCP Tag.
Deep Packet Inspection

The Deep Packet Inspection section provides the user with the ability to configure rule properties related to operations based on the contents of the matching packets.

Enable Passive FTP Detection: If enabled, this parameter will make processing decisions based upon user data. The rule will learn the port used for FTP data transfer and apply the rule properties to the learned port.

IPsec Properties

The IPsec properties section allows you to enable IPsec protection for data in the Conduit. If enabled, an IPsec tunnel is established across the Conduit before data can flow.

  • Secure Conduit User Data with IPsec: If enabled, user data transmitted using the Conduit is secured using an IPsec tunnel.
  • Tunnel Mode: The available IPsec protocols you can choose from.
  • ESP: Data is encapsulated and encrypted.
  • ESP+Auth: Data is encapsulated, encrypted, and validated with an HMAC.
  • AH: Data is validated with an HMAC.
  • Encryption Mode: The encyption algorithm used when ESP is enabled.
  • Hash Algorithm: The hash algorithm used to generate an HMAC.
  • Lifetime (s): Your preferred duration, in seconds, for an IPsec security association to exist. Enter 0 for unlimited.
Advanced Settings

This section allows you to specify a bandwidth threshold in terms of a percentage of the total egress permitted rates of regular WAN links. If the available bandwidth provided by the regular WAN links in the conduit falls below this bandwidth threshold, on-demand standby WAN links in the conduit will be activated to supplement bandwidth.

Dynamic Conduit QoS Policies

A Dynamic Conduit QoS Policy defines a global set of Classes, Rules and Dynamic Conduit properties that are applied to all Dynamic Conduits in the SD-WAN Edge network.

Dynamic Conduit Properties

A Dynamic Conduit QoS Policy is created automatically in the Configuration, when Dynamic Conduits is configured in the system. Currently the values defined are used for all Dynamic Conduits defined in the system

  • Basic Settings: Properties used to establish/remove Dynamic Conduits. Value descriptions are provided to the user if they hover over the specific command.
  • Classes: Same values used for static Conduits.
  • Rules: Same values used for static Conduits.
Internet QoS Policies

An Internet QoS Policy defines a global set of Rules that can be applied to any Internet Service in the Adaptive Private Network Network. In addition to the Rules defined in the Internet QoS Policy, an Internet Service may override or add to definitions contained in the QoS Policy.

Internet Service Rules

Rules are shown as a list view on this screen, organized by their relative Order and shown with their match criteria in the table. Rules are checked and matched for the current service in the order shown in the table. Rules are typically used to tie services to a specific WAN Link. Rule matching options are the same as previously defined.

Mode: defined what action will be taken for the defined rule.

Override Service: which service to override the flow to.

Enable Passive FTP Detection: If enabled, this parameter will make processing decisions based upon user data. The rule will learn the port used for FTP data transfer and apply the rule properties to the learned port.

Clicking the Clone button will insert a copy of the selected rule directly above it.

Intranet QoS Policies

An Intranet QoS Policy defines a global set of Rules that can be applied to any Intranet Service in the Adaptive Private Network. In addition to the Rules defined in the Intranet QoS Policy, an Intranet Service may override or add to definitions contained in the QoS Policy. Rules are typically used to tie services to a specific WAN Link. Rule matching options are the same as previously defined.

Override Service: which service to override the flow to.

Intranet Service Rules

Rules are shown as a list view on this screen, organized by their relative Order and shown with their match criteria in the table. Rules are checked and matched for the current service in the order shown in the table.

Override Service: which service to override the flow to.

Enable Passive FTP Detection: If enabled, this parameter will make processing decisions based upon user data. The rule will learn the port used for FTP data transfer and apply the rule properties to the learned port.

Clicking the Clone button will insert a copy of the selected rule directly above it.

Cloud Service QoS Policies

A Cloud Service QoS Policy defines a global set of Classes, Rules and Service properties that are applied to all Cloud Services in the SD-WAN Edge network. It is automatically created if none exists in the configuration.

Cloud Service Properties

Currently the values defined are used for all Cloud Services defined in the system

  • Basic Settings: Properties used to establish/remove Cloud Services. Value descriptions are provided to the user if they hover over the specific command.
  • Classes: Same values used for static Conduits.
  • Rules: Same values used for static Conduits.

MOS Groups

Note: In previous releases, MOS Groups were called Applications. This change in terminology occurred in version 5.2 of the SD-WAN Edge Software.

The MOS Group is a gathering of rules which can define a particular application in the network. To create a new MOS Group in the configuration, simply click the add icon from this section. Once the MOS Group is created from this scope, individual rules can be tagged as belonging to a particular MOS Group by setting the "MOS Group Name" field for that rule to the newly created MOS Group. MOS Groups for the existing Default Rules have already been created for you.

From the scope of the MOS Group section, MOS Groups have the option to "Estimate MOS". Enabling this setting will cause the Aware to calculate a MOS Score passively for existing Traffic that passes through the Conduit. This MOS Score is a quality assessment of the MOS Group traffic judged as if it were a VOIP phone call. This statistical data is only visible from the SD-WAN Aware.

Note: Track Performance option needs to be enabled in order to "Estimate MOS" for the "MOS Groups Name" in the Rules.

Autopath Groups

Autopath Groups automatically generate Paths between WAN Links using preset parameters. When a pair of local and remote WAN Links of the same Access Type (Public Internet, Private Intranet, or Private MPLS) reference the same Autopath Group, a Path is created in both directions between the links using the Autopath Group settings. By Default, Paths between Private MPLS WAN Links are only created between MPLS Queues with matching DSCP tags.

A Default Autopath Group must always exist and is denoted as <DEFAULT> in Conduit Usages.

The Configuration options for Autopath groups are:

  • IP DSCP Tagging: Provides a tag for the external IP header of the Talari Reliable Protocol (TRP) frame.
  • Enable Encryption: Encrypts the TRP frame.
  • Bad Loss Sensitive: A Path may be marked as BAD due to loss and will incur a latency penalty in Path scoring. Disabling this option may be useful when the loss of bandwidth is intolerable.
  • Percent Loss (%): When Bad Loss Sensitive is set to Custom, if packet loss exceeds the set percentage over the configured time, the GOOD Path state will change to BAD. The default setting uses an internal Oracle algorithm.
  • Over Time (ms): When Bad Loss Sensitive is set to Custom and Percent Loss is set to a value other than DEFAULT, if packet loss exceeds the set percentage over this configured time, the Path state is marked as BAD.
  • Silence Period (ms): The Path state transitions from GOOD to BAD when no packets are received within the specified amount of time.
  • Path Probation Period (ms): The period to wait before changing the Path state from BAD to GOOD.
  • Instability Sensitive: Latency penalties due to BAD state and other spikes in latency are considered in the Path scoring algorithm when this is enabled. Disabling this option may be useful when the loss of bandwidth (If Bad Loss Sensitive enabled) or latency spikes are intolerable.

There are four combinations for the Bad Loss Sensitive and Instability Sensitive settings:

  • Option 1: When Bad Loss Sensitive is set to Enable or Custom and Instability Sensitive is enabled, a Path may be marked as BAD and incur a latency penalty so it is only used as a last resort. In the event multiple Paths are marked BAD, there is still competition among them based on regular Path scoring.
  • Option 2: When Bad Loss Sensitive is set to Enable or Custom and Instability Sensitive is disabled, a Path may be marked as BAD and only used as a last resort, however latency spikes are not considered. In the event multiple paths are marked BAD, the ones with Instability Sensitive disabled will likely be used first.
  • Option 3: When Bad Loss Sensitive is set to Disable and Instability Sensitive is enabled, a Path remains GOOD in spite of loss, however latency spikes are still considered, so that Path is only likely to be used after Paths without latency spikes are exhausted.
  • Option 4: When Bad Loss Sensitive is set to Disable and Instability Sensitive is disabled, a Path remains GOOD and latency spikes are not considered, therefore the Path will likely remain in constant use.

Service Providers

Service providers are the container objects for WAN Link Templates. The intended abstraction is, to place a WAN Link Template in the scope of a particular service provider to state that that particular template defines a WAN Link provided by that particular service provider.

For example, adding a broadband WAN Link Template under a service provider named TimeWarnerCable implies that the wan link template will be applied to a Time Warner Cable public internet WAN Link.

Where the broadband example is not too powerful, the real value of the Service Provider is in MPLS WAN Links.

For example, adding an MPLS WAN Link Template under a service provider of "Verizon" implies that MPLS WAN Links using this template will be denoted as a Verizon MPLS WAN Link. The underlying functionality will associate all of WAN Links using that template with an autogenerated "Verizon_MPLS" autopath group, thereby removing the need for the user to configure and associate autopath groups.

WAN Link Templates

WAN Link Templates can be used to simplify the WAN Link configuration for similar sites within the SD-WAN Edge network. Each Site who shares the same WAN Link characteristics can select the WAN Link Template to be applied to its WAN Link properties.

WAN Link Template - Basic Settings

The WAN Link Template Basic Settings allow for the description of the type of the link available.

Link Type is the type of link for this template, which may be Broadband, Private Link, or MPLS.

Auto-Path Group is the group used to determine what Paths may be automatically generated between the WAN Link and remote WAN Links and what default Path settings to use.

  • <None> indicates that no group is desired and will prevent Paths from being automatically generated to or from the WAN Link.

WAN Ingress

  • Physical Rate is the bit rate limit of the WAN Link for the traffic traveling from the LAN into the WAN. Configuration should match the physical capacity of the WAN Link.
  • Auto Learn indicates whether the permitted rate of the WAN Link will be automatically adjusted based on bandwidth test results. Before a valid test is completed, the physical rate will be used. No matter what the bandwidth test result is, the applied permitted rate will not exceed the physical rate.

WAN Egress

  • Physical Rate is the bit rate limit of the WAN Link for the traffic traveling from the WAN into the LAN. The Configuration should match the physical capacity of the WAN Link purchased from the service provider.
  • Auto Learn indicates whether the permitted rate of the WAN Link will be automatically adjusted based on bandwidth test results. Before a valid test is completed, the physical rate will be used. No matter what the bandwidth test result is, the applied permitted rate will not exceed the physical rate.
WAN Link Template - MPLS Queues

The WAN Link Template MPLS Queues allow for the definition of service queues using standard DSCP tags.

DSCP Tag: The DSCP Tag applied to the Oracle Conduit Path..

WAN Ingress Permitted Rate (Kbps): The available or allowed rate, in Kbps, for WAN Ingress traffic. The sum of WAN Ingress Permitted Kbps for all queues in a Private MPLS WAN Link may not exceed the WAN Ingress Permitted Kbps for the Private MPLS WAN Link.

WAN Egress Permitted Rate (Kbps): The available or allowed rate, in Kbps, for WAN Egress traffic. The sum of WAN Egress Permitted Kbps for all queues in a Private MPLS WAN Link may not exceed the WAN Egress Permitted Kbps for the Private MPLS WAN Link.

WAN to WAN Forwarding Groups

The WAN To WAN (W-T-W) Forwarding Group is used to allow client sites to communicate through an intermediary site with each other. In previous releases only a single W-T-W forwarding groups was allowed. In current releases this number is unrestricted. When enabled the routing tables are shared between the site with W-T-W forwarding enabled and all client site in the specific W-T-W group. Additionally when using Dynamic Conduits W-T-W forwarding must be enabled. By default all sites are in a default W-T-W forwarding group.

Site Name

As a site is added to the Configuration file the site name is automatically added. The user can open the site name and configure details for the site including the following:

  • WAN-To-WAN: Forwarding - assign the site to a W-T-W Forwarding Group other than the default.
  • Conduit: Define Conduit information
  • Internet Services: Defined Internet properties for the site
  • Intranet Services: Define Intranet properties for the site
  • Routes: Define routes for the site.
  • WAN Links: Define WAN Link properties for a site.
Conduit-to-Conduit Forwarding

Conduit-to-Conduit Forwarding allows the Site to act as an intermediate hop between two adjacent Sites for any Site-to-Site traffic. Unlike enable WAN-to-WAN Forwarding, this will not export any routes from one site to other sites. Conduits includes Static Conduits, Dynamic Conduits and Cloud Services.

Conduit-to-Internet/Intranet Forwarding

Conduit-to-Internet/Intranet Forwarding allows the Site to act as an intermediate hop between any Site-to-Internet or Intranet traffic. Unlike enable WAN-to-WAN Forwarding, this will not export internet/intranet routes from to other sites.

WAN-to-WAN Forwarding

WAN-to-WAN Forwarding allows the Site to act as an intermediate hop between two adjacent Sites for any Site-to-Site, Internet or Intranet traffic and to act as a mediator for Dynamic Conduits. Allows the user to add multiple groups, each groups is defined by a group name. When defining client sites the client site would then be associated with a specific group name if desired.