Managing links

You can view the links in one of the following ways:

• To display the table of links established from a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, and select the Links tab.
• To display the table of all links, go to the Infrastructure menu section, click Management → Configuration menu next to the controller, and go to the Links section.
• To display the graphical topology with all links, go to the Infrastructure menu section, click Management → Configuration menu next to the controller, and go to the Topology section.

When viewing the table of links, information about the links is displayed in the following table columns:

• Source is the name, DPID, and OpenFlow port number of the CPE device that is the link source.
• Destination is the name, DPID, and OpenFlow port number of the CPE device that is the link destination.
• Unsolicited indicates whether the controller uses this link as the last resort when calculating the path, regardless of the monitoring indicators:
  • Y
  • N
• Thresholds monitoring indicates whether link monitoring is on:
  • Y
  • N
• MTU is the MTU value of the link.
• Errors/second is the number of errors per second on the link.
• Utilization (%) is the load of the link as a percentage of the bandwidth of the source service interface.
• Latency (ms.) is the delay time in milliseconds for traffic transmitted through the link.
• Jitter (ms.) is the jitter time in milliseconds for traffic transmitted through the link.
• Packet loss (%) is the percentage of traffic packet loss on the link.
• Speed (Mbit/sec.) is the speed of traffic transmission through the link in Mbps.
• Cost is the link cost.

The actions you can perform with the table are described in the Managing solution component tables instructions.

Specifying the cost of a link

To specify the cost of a link:

1. Specify the link cost in one of the following ways:
   • If you want to specify the cost of a link that was established from a CPE device, go to the SD-WAN → CPE section, click the CPE device, select the Links tab, and click Management → Set cost next to the link.
   • If you want to specify the cost of one of the links in the table of all links, go to the Infrastructure section, click Management → Configuration menu next to the controller, go to the Links section, and click Management → Set cost next to the link.
   • If you want to specify the cost of one of the links in the graphic topology with all links, go to the Infrastructure section, click Management → Configuration menu next to the controller, go to the Topology section, click the link, and click Set cost.
2. This opens a window; in that window, select the Override check box to specify the cost of the link. This check box is cleared by default.
3. In the Tunnel cost field, enter the cost of the link. If you want to specify the same cost for the opposite-direction link, select the Save for both tunnels check box. This check box is cleared by default.
4. Click Save.

   The link cost is specified.

5. If you have specified the link cost for a link established from the CPE device, click Save in the upper part of the settings area to save the CPE device settings.

Enabling Dampening

Dampening is a configurable mechanism that excludes unstable links whose state changes too frequently from path calculation. When determining link instability, the following state changes are taken into account:

• UP/LIVE → DOWN/NOT-LIVE.
• DOWN/NOT-LIVE → UP/LIVE.
• UP/LIVE → UP/NOT-LIVE.
• UP/NOT-LIVE → UP/LIVE.

When Dampening is enabled, each state change of the link increases the Penalty value. If the Penalty reaches the threshold within the specified time, access to the link is restricted (its cost is increased 10,000 times for the specified period of time). The value of each of these parameters is specified when you enable Dampening. By default, access to the link is resumed if the state of the link does not change for 10 minutes.

To enable Dampening:

1. Enable Dampening in one of the following ways:
   • If you want to enable Dampening for a link that was established from a CPE device, go to the SD-WAN → CPE section, click the CPE device, select the Links tab, and click Management → Dampening next to the link.
   • If you want to enable Dampening for one of the links in the table of all links, go to the Infrastructure section, click Management → Configuration menu next to the controller, go to the Links section, and click Management → Dampening next to the link.
   • If you want to enable Dampening for one of the links in the graphic topology with all links, go to the Infrastructure section, click Management → Configuration menu next to the controller, go to the Topology section, click the link, and click Dampening.
2. This opens a window; in that window, select the Enable check box to enable Dampening on the link. This check box is cleared by default.
3. In the Maximum suppress time (ms.) field, enter the time, in milliseconds, for which access to the link can be restricted. When the specified time elapses, all Dampening counters on the link are reset. Default value: 600000.
4. In the Penalty field, enter the number by which Penalty is incremented when the link changes state. Default value: 1.
5. In the Suppress threshold field, enter the Penalty value at which access to the link is restricted. Default value: 4.
6. In the Update interval (ms.) field, enter the time in milliseconds during which Penalty must attain the value specified in the Suppress threshold field for access to the link to be restricted. Default value: 120000.
7. If you want to view Dampening statistics for a link, click Load statistics.
8. Click Save.

   Dampening is enabled for the link.

9. If you enabled Dampening for a link established from the CPE device, click Save in the upper part of the settings area to save the CPE device settings.

Enabling Forward Error Correction

The Forward Error Correction (FEC) functionality reduces the loss of traffic packets in links, especially for UDP applications, and the number of retransmissions, which lead to delays, and also recovers received data on the CPE device. Data recovery is provided by redundant encoding of the data stream on the device on the source CPE device.

The source CPE device encodes the traffic packet stream transmitted through the link and adds redundant traffic packets. Encoding on CPE devices may cause delays due to extra data processing.

The destination CPE device buffers traffic packets received through the link and decodes them, recovering lost traffic packets, if possible. We recommend using FEC on noisy links to reduce the packet loss and increase the speed of TCP connections. The general diagram of FEC is shown in the figure below.

FEC diagram

To enable FEC:

1. Enable FEC in one of the following ways:
   • If you want to enable FEC for a link that was established from a CPE device, go to the SD-WAN → CPE section, click the CPE device, select the Links tab, and click Management → FEC/reordering next to the link.
   • If you want to enable FEC for one of the links in the table of all links, go to the Infrastructure section, click Management → Configuration menu next to the controller, go to the Links section, and click Management → FEC/reordering next to the link.
   • If you want to enable FEC for one of the links in the graphic topology with all links, go to the Infrastructure section, click Management → Configuration menu next to the controller, go to the Topology section, click the link, and click FEC/reordering.
2. This opens a window; in that window, select the Override check box to enable FEC on the link. This check box is cleared by default.
3. In the Redundancy ratio (original/redundant packet) drop-down list, select the ratio of original traffic packets to extra traffic packets with redundant code. Default value: 0:0 FEC off means FEC is not used. You can also specify the ratio of original traffic packets to redundant traffic packets by using the topology.link.fec.ratio controller property.
4. In the Timeout field, enter the time, in milliseconds, during which a traffic packet can stay in the queue for FEC to apply. Range of values: 1 to 1000.
5. Click Save.

   FEC is enabled.

6. If you enabled FEC for a link established from the CPE device, click Save in the upper part of the settings area to save the CPE device settings.

Determining the MTU value

You can determine the MTU value of a link to find out why fragmented packets are being blocked on the link (see the figure below).

Links with a reduced MTU size and fragmented packet getting dropped

The MTU value is determined by sending LLDP packets with a variable payload size through the link. The minimum detectable MTU size is 1280 bytes, and the maximum is 1500 bytes. The MTU value is determined automatically when CPE devices are enabled and periodically at an interval specified in the topology.link.pmtud.scheduler.interval.sec controller property.

You can determine the MTU value manually.

To manually determine the MTU value,

Determine the MTU value in one of the following ways:

• If you want to manually determine the MTU value for a link that was established from a CPE device, go to the SD-WAN → CPE section, click the CPE device, select the Links tab, and click Management → Check MTU next to the link.
• If you want to manually determine the MTU value for one of the links in the table of all links, go to the Infrastructure section, click Management → Configuration menu next to the controller, go to the Links section, and click Management → Check MTU next to the link.

The MTU value is displayed in the MTU column.

Traffic encryption

Traffic encryption is a mechanism of securing the exchange of traffic between CPE devices through links. For example, you can encrypt traffic that is transmitted over unsecured connections.

Traffic encryption does not replace the need to use other information security measures, such as TLS, LDAPS, and other protocols that protect traffic within the overlay network.

The controller automatically generates keys for encrypting and decrypting traffic and sends the keys to CPE devices. Traffic is encrypted on the source CPE device using the encryption key. The destination CPE device decrypts the traffic using the decryption key.

The keys are regularly updated to deprive third parties of the opportunity to encrypt or decrypt the transmitted traffic if a key is intercepted. You can specify the length of time after which the keys are updated on CPE devices using the topology.link.encryption.key.update.interval.minutes controller property.

Traffic encryption is supported only on CPE devices running Kaspersky SD-WAN software.

If traffic encryption is enabled on a CPE device, all outbound links that involve this CPE device send encrypted traffic (including new links that will be established later). If traffic encryption is disabled on a CPE device, it sends unencrypted traffic. If you disable traffic encryption on a CPE device that had been encrypting its outgoing traffic, the keys generated by the SD-WAN Controller for encrypting and decrypting traffic are deleted from all related CPE devices.

You can also enable or disable traffic encryption on links. For example, you can enable traffic encryption on a CPE device, but disable it on a link built with the participation of this CPE device. When enabling or disabling traffic encryption on a link, you need to configure the opposite-direction link in the same way.

Enabling traffic encryption on a CPE device

You can enable or disable traffic encryption in a CPE template or on a CPE device. Traffic encryption settings specified in the CPE template are automatically propagated to all CPE devices that use this CPE template.

To enable traffic encryption on a CPE device:

1. Enable traffic encryption on the CPE device in one of the following ways:
   • If you want to enable traffic encryption in a CPE template, go to the SD-WAN → CPE templates menu section, click the CPE template, and select the Tunnel encryption tab.
   • If you want to enable traffic encryption on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, select the Tunnel encryption tab, and select the Override check box.

   The traffic encryption policy is displayed.

2. In the Default encryption policy drop-down list, select one of the following values:
   • Enabled
   • Disabled Default value.
3. In the upper part of the settings area, click Save to save the settings of the CPE template or CPE device.

Enabling traffic encryption on a link

When enabling or disabling traffic encryption on a link, you must configure the opposite-direction link in the same way.

To enable encryption of traffic on a link:

1. Enable traffic encryption on the link in one of the following ways:
   • If you want to enable traffic encryption for a link that was established from a CPE device, go to the SD-WAN → CPE section, click the CPE device, select the Links tab, and click Management → Set encryption next to the link.
   • If you want to enable traffic encryption for one of the links in the table of all links, go to the Infrastructure section, click Management → Configuration menu next to the controller, go to the Links section, and click Management → Set encryption next to the link.
   • If you want to enable traffic encryption for one of the links in the graphic topology with all links, go to the Infrastructure section, click Management → Configuration menu next to the controller, go to the Topology section, click the link, and click Set encryption.
2. This opens a window, in that window, select the Override check box. This check box is cleared by default.
3. Select the Enable encryption check box to enable traffic encryption for the link. This check box is cleared by default.
4. Click Save.

   Traffic encryption is enabled on the link.

5. If you enabled traffic encryption for a link established from the CPE device, click Save in the upper part of the settings area to save the CPE device settings.