Contents

SDWAN commands· 1

address-family ipv4 tnl-encap-ext 1

display bgp routing-table ipv4 tnl-encap-ext 1

display sdwan peer-connection status· 9

display sdwan server status· 10

display sdwan site-tte· 11

display sdwan tte connection· 14

evpn sdwan routing-enable· 15

reset sdwan tte connection· 15

peer advertise encap-type sdwan· 16

sdwan device-id· 17

sdwan encapsulation global-udp-port 18

sdwan encapsulation udp-port 18

sdwan interface-id· 19

sdwan keepalive· 20

sdwan routing-domain· 21

sdwan server 22

sdwan server enable· 22

sdwan server port 23

sdwan site-id· 24

sdwan site-name· 25

sdwan site-role· 25

sdwan ssl-server-policy· 26

sdwan ssl-client-policy· 27

sdwan system-ip· 28

sdwan transport-network· 29

sdwan vn-id· 29

 

SDWAN commands

address-family ipv4 tnl-encap-ext

Use address-family ipv4 tnl-encap-ext to create the BGP IPv4 tunnel-encap-ext address family and enter BGP IPv4 tunnel-encap-ext address family view, or directly enter BGP IPv4 tunnel-encap-ext address family view if the BGP IPv4 tunnel-encap-ext address family already exists.

Use undo address-family ipv4 tnl-encap-ext to delete the BGP IPv4 tunnel-encap-ext address family and all settings in the address family.

Syntax

address-family ipv4 tnl-encap-ext

undo address-family ipv4 tnl-encap-ext

Default

The BGP IPv4 tunnel-encap-ext address family does not exist.

Views

BGP instance view

Predefined user roles

network-admin

Usage guidelines

Settings in BGP IPv4 tunnel-encap-ext address family view take effect only on routes in the BGP IPv4 tunnel-encap-ext address family.

Examples

# In BGP instance view, create the BGP IPv4 tunnel-encap-ext address family and enter BGP IPv4 tunnel-encap-ext address family view.

<Sysname> system-view

[Sysname] bgp 100

[Sysname-bgp-default] address-family ipv4 tnl-encap-ext

[Sysname-bgp-default-tnlencap-ipv4]

display bgp routing-table ipv4 tnl-encap-ext

Use display bgp routing-table ipv4 tnl-encap-ext to display information about BGP IPv4 tunnel-encap-ext routes.

Syntax

display bgp [ instance instance-name ] routing-table ipv4 tnl-encap-ext [ peer ipv4-address { advertised-routes | received-routes } [ statistics ] | [ route-type { tte | saas-path } ] [ { tnlencap-route route-length | tnlencap-prefix } [ advertise-info ] ] | statistics ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

instance instance-name: Specifies a BGP instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify a BGP instance, this command displays information about BGP IPv4 tunnel-encap-ext routes in the default instance.

peer: Displays BGP IPv4 tunnel-encap-ext routes advertised to or received from a peer.

ipv4-address: Specifies the peer by its IPv4 address.

advertised-routes: Displays BGP IPv4 tunnel-encap-ext routes advertised to the specified peer.

received-routes: Displays BGP IPv4 tunnel-encap-ext routes received from the specified peer.

statistics: Displays BGP IPv4 tunnel-encap-ext route statistics.

route-type: Specifies a type of BGP IPv4 tunnel-encap-ext routes.

tte: Specifies transport tunnel endpoint (TTE) advertisement routes.

saas-path: Specifies Software as a Service (SaaS) access path quality advertisement routes.

tnlencap-route: Displays detailed information about a BGP IPv4 tunnel-encap-ext route. The tnlencap-route argument is a string of 1 to 512 characters.

route-length: Specifies the length of the specified BGP IPv4 tunnel-encap-ext route, in bits. The value range is 0 to 65535.

tnlencap-prefix: Displays detailed information about a BGP IPv4 tunnel-encap-ext route. The tnlencap-prefix argument is a case-insensitive string of 1 to 512 characters. The string contains the route and route length in the format of tnlencap-route/route-length.

advertise-info: Displays advertisement information for BGP IPv4 tunnel-encap-ext routes.

Usage guidelines

If you do not specify any parameters, this command displays brief information about all BGP IPv4 tunnel-encap-ext routes.

Examples

# Display brief information about all BGP IPv4 tunnel-encap-ext routes.

<Sysname> display bgp routing-table ipv4 tnl-encap-ext

 

 BGP local router ID is 1.1.1.1

 Status codes: * - valid, > - best, d - dampened, h - history

               s - suppressed, S - stale, i - internal, e - external

               a – additional-path

       Origin: i - IGP, e - EGP, ? - incomplete

 

Total number of routes: 2

 

     Network            NextHop         MED        LocPrf     PrefVal Path/Ogn

 

* >i [1][0x0000ffff]/40

                        2.2.2.2         0          100        0       i

* >i [1][0xffffffff]/40

                        2.2.2.2         0          100        0       i

* >i [2][0x00ffffff][abc]/552

                        2.2.2.2         0          100        0       i

 

Table 1 Command output

Field	Description
Status codes	Route state codes: ·     * – valid—Valid route. ·     > – best—Optimal route. ·     d - dampened—Dampened route. ·     h – history—History route. ·     s – suppressed—Suppressed route. ·     S – stale—Stale route. ·     i – internal—Internal route. ·     e – external—External route. ·     a – additional-path—Add-Path optimal route.
Origin	Origin of the route: ·     i – IGP—Originated in the current AS. ·     e – EGP—Learned through EGP. ·     ? – incomplete—Unknown origin.
Total number of routes	Total number of BGP IPv4 tunnel-encap-ext routes.
Network	BGP IPv4 tunnel-encap-ext route and route length. The following BGP IPv4 tunnel-encap-ext routes are supported: ·     [1][LinkID] ¡     1—TTE advertisement route. ¡     LinkID—TTE link ID. A TTE connection is identified by the link ID of the TTE. ·     [2][SiteAndDeviceID][SaaSName] ¡     2—SaaS access path quality advertisement route. ¡     SiteAndDeviceID—Site ID and device ID of a SaaS cloud service. A SaaS cloud service connection is identified by the site ID and device ID of the SaaS cloud service. ¡     SaaSName—Name of the SaaS cloud service.
NextHop	Next hop IP address.
MED	Multi-exit discriminator (MED) attribute value.
LocPrf	Local preference value.
PrefVal	Preferred value.
Path/Ogn	AS_PATH and ORIGIN attributes of the route: ·     AS_PATH—Records the ASs the route has passed, which avoids routing loops. This field can display a maximum of 16 ASs. If the number of ASs exceeds the maximum number of ASs that can be displayed, an ellipsis (…) is displayed in place of the exceeding text. To view the complete information, display detailed information about the route. ·     ORIGIN—Identifies the origin of the route.

 

# Display detailed information about BGP IPv4 tunnel-encap-ext route [1][0xffffffff]/40.

<Sysname> display bgp routing-table ipv4 tnl-encap-ext [1][0xffffffff]/40

 

 BGP local router ID: 1.1.1.1

 Local AS number: 100

 

 Total number of routes: 1

 Paths:   1 available, 1 best

 

 BGP routing table information of [1][0xffffffff]/40:

 From            : 4.4.4.4 (4.4.4.4)

 Rely nexthop    : 10.1.1.2

 Original nexthop: 2.2.2.2

 OutLabel        : NULL

 RxPathID        : 0x0

 TxPathID        : 0x0

 AS-path         : 200

 Origin          : egp

 Attribute value : MED 0, pref-val 0

 State           : valid, external, best

 IP precedence   : N/A

 QoS local ID    : N/A

 Traffic index   : N/A

 Route type      : Transport Tunnel Endpoint advertisement route

 LinkID          : 0xffffffff

 SiteID          : 16777215

 DeviceID        : 255

 InterfaceID     : 255

 SiteName        : sdwan

 SystemIP        : 2.2.2.2

 SiteRole        : CPE

 EncapType       : UDP

 EncapPort       : 65535

 SourceIP        : 2.2.2.2

 TNName          : sdwan

 TNID            : 0x499602d2

 RDName          : BGP

 RDID            : 0xffffffff

 IPSecEnable     : Enabled

 AH SA SPI       : 0xffffffff

 ESP SA SPI      : 0xffffffff

 ESPEncAlg       : 0x1

 ESPAuthAlg      : 0x1

 AHAuthAlg       : 0x1

 NATEnable       : Enabled

 NATType         : Full Cone NAT

 PublicAddress   : 3.3.3.3

 PublicPort      : 179

Table 2 Command output

Field	Description
Total number of routes	Total number of BGP IPv4 tunnel-encap-ext routes.
Paths	Number of routes: ·     available—Number of valid routes. ·     best—Number of optimal routes.
BGP routing table information of [1][0xffffffff]/40	Detailed information about BGP IPv4 tunnel-encap-ext route [1][0xffffffff]/40.
From	IP address of the BGP peer that advertised the route.
Rely Nexthop	Next hop IP address after route recursion. If no next hop IP address is found, this field displays not resolved.
Original nexthop	Original next hop address of the route. If the route was obtained from a BGP update message, the original next hop address is the next hop IP address in the message.
OutLabel	Outgoing label of the route. This field is not supported by the BGP IPv4 tunnel-encap-ext address family in the current software version.
RxPathID	Add-Path ID value of the received route. This field is not supported by the BGP IPv4 tunnel-encap-ext address family in the current software version.
TxPathID	Add-Path ID value of the sent route. This field is not supported by the BGP IPv4 tunnel-encap-ext address family in the current software version.
AS-path	AS_PATH attribute of the route. This attribute records the ASs the route has passed and avoids routing loops.
Origin	Origin of the route: ·     igp—Originated in the current AS. ·     egp—Learned through EGP. ·     incomplete—Unknown origin.
Attribute value	BGP attributes of the route: ·     MED—MED value for the destination network. ·     localpref—Local preference value. ·     pref-val—Preferred value. ·     pre—Protocol preference value.
State	Route state: ·     valid—Valid route. ·     internal—Internal route. ·     external—External route. ·     local—Local route. ·     best—Optimal route.
IP precedence	IP precedence of the route, in the range of 0 to 7. If the IP precedence is invalid, this field displays N/A.
QoS local ID	QoS local ID of the route, in the range of 1 to 4095. If the QoS local ID is invalid, this field displays N/A.
Traffic index	Traffic index in the range of 1 to 64. If the traffic index is invalid, this field displays N/A.
LinkID	Link ID assigned to the TTE. A link ID identifies a TTE connection.
SiteID	Site ID.
DeviceID	Device ID.
InterfaceID	Interface ID.
SiteName	Site name.
SystemIP	Site system IP address.
SiteRole	Site role: ·     CPE. ·     RR. ·     NAT transfer. If multiple site roles are assigned, each two roles are separated by a slash (/). For example: CPE/RR/NAT transfer.
EncapType	Encapsulation mode, which can be only UDP in the current software version.
EncapPort	Local UDP port number for SDWAN encapsulation.
SourceIP	Source IP address of the tunnel.
TNName	Transport network name.
TNID	Transport network ID.
RDName	Routing domain name.
RDID	Routing domain ID.
IPSecEnable	IPsec state: ·     Enabled—IPsec protection is enabled. ·     Disabled—IPsec protection is disabled.
AH SA SPI	AH SA SPI.
ESP SA SPI	ESP SA SPI.
ESPEncAlg	ESP encryption algorithm.
ESPAuthAlg	ESP authentication algorithm.
AHAuthAlg	AH authentication algorithm.
NATEnable	Whether NAT is deployed: ·     Enabled—NAT is deployed. ·     Disabled—NAT is not deployed.
NATType	NAT type: ·     Full Cone NAT. ·     Restricted Cone NAT. ·     Port Restricted Cone NAT. ·     Symmetric NAT. If no NAT type exists, this field displays a hyphen (-).
PublicAddress	Public IP address after NAT.
PublicPort	Public port number after NAT.

 

# Display detailed information about BGP IPv4 tunnel-encap-ext route [2][16777216][abc]/296.

<Sysname> display bgp routing-table ipv4 tnl-encap-ext [2][0x00ffffff][abc]/296

 

 BGP local router ID: 1.1.1.1

 Local AS number: 100

 

 Total number of routes: 1

 Paths:   1 available, 1 best

 

 BGP routing table information of [2][0x00ffffff][abc]/296:

 From            : 4.4.4.4 (4.4.4.4)

 Rely nexthop    : 10.1.1.2

 Original nexthop: 2.2.2.2

 OutLabel        : NULL

 RxPathID        : 0x0

 TxPathID        : 0x0

 AS-path         : 200

 Origin          : egp

 Attribute value : MED 0, pref-val 0

 State           : valid, external, best

 IP precedence   : N/A

 QoS local ID    : N/A

 Traffic index   : N/A

 Route type      : Software as a Service access path quality advertisement route

 SiteID          : 0x00ffffff

 DeviceID        : 1

 SaaSName        : abc

 SystemIP        : 2.2.2.2

 Delay           : 20 ms

 Jitter          : 4 ms

 Loss            : 50 ‰

 CQI             : 80

Table 3 Command output

Field	Description
Total number of routes	Total number of BGP IPv4 tunnel-encap-ext routes.
Paths	Number of routes: ·     available—Number of valid routes. ·     best—Number of optimal routes.
BGP routing table information of [2][16777216][abc]/296	Detailed information about BGP IPv4 tunnel-encap-ext route [2][0x00ffffff][abc]/296.
From	IP address of the BGP peer that advertised the route.
Rely Nexthop	Next hop IP address after route recursion. If no next hop IP address is found, this field displays not resolved.
Original nexthop	Original next hop address of the route. If the route was obtained from a BGP update message, the original next hop address is the next hop IP address in the message.
OutLabel	Outgoing label of the route. This field is not supported by the BGP IPv4 tunnel-encap-ext address family in the current software version.
RxPathID	Add-Path ID value of the received route. This field is not supported by the BGP IPv4 tunnel-encap-ext address family in the current software version.
TxPathID	Add-Path ID value of the sent route. This field is not supported by the BGP IPv4 tunnel-encap-ext address family in the current software version.
AS-path	AS_PATH attribute of the route. This attribute records the ASs the route has passed and avoids routing loops.
Origin	Origin of the route: ·     igp—Originated in the current AS. ·     egp—Learned through EGP. ·     incomplete—Unknown origin.
Attribute value	BGP attributes of the route: ·     MED—MED value for the destination network. ·     localpref—Local preference value. ·     pref-val—Preferred value. ·     pre—Protocol preference value.
State	Route state: ·     valid—Valid route. ·     internal—Internal route. ·     external—External route. ·     local—Local route. ·     best—Optimal route.
IP precedence	IP precedence of the route, in the range of 0 to 7. If the IP precedence is invalid, this field displays N/A.
QoS local ID	QoS local ID of the route, in the range of 1 to 4095. If the QoS local ID is invalid, this field displays N/A.
Traffic index	Traffic index in the range of 1 to 64. If the traffic index is invalid, this field displays N/A.
SiteID	Site ID
DeviceID	Device ID
SaaSName	SaaS cloud service name.
SystemIP	Site system IP address.
Delay	Delay for the path used to access the SaaS cloud service, in milliseconds.
Jitter	Jitter for the path used to access the SaaS cloud service, in milliseconds.
Loss	Packet loss ratio for the path used to access the SaaS cloud service, in permillage.
CQI	Approximate Comprehensive Quality Indicator (CQI) value for the path used to access the SaaS cloud service.

 

# Display advertisement information for BGP IPv4 tunnel-encap-ext route [1][0xffffffff]/40.

<Sysname> display bgp routing-table ipv4 tnl-encap-ext [1][0xffffffff]/40 advertise-info

 

 BGP local router ID: 1.1.1.1

 Local AS number: 100

 

 Total number of routes: 1

 Paths:   1 best

 

 BGP routing table information of [1][0xffffffff]/40:

 Advertised to peers (1 in total):

    3.3.3.3

Table 4 Command output

Field	Description
Total number of routes	Total number of BGP IPv4 tunnel-encap-ext routes.
Paths	Number of optimal routes destined for the specified destination network.
BGP routing table information of [1][0xffffffff]/40	Advertisement information about BGP IPv4 tunnel-encap-ext route [1][0xffffffff]/40.
Advertised to peers (1 in total)	Peers to which the route has been advertised and total number of the peers.

 

# Display statistics about BGP IPv4 tunnel-encap-ext routes advertised to peer 2.2.2.2.

<Sysname> display bgp routing-table ipv4 tnl-encap-ext peer 2.2.2.2 advertised-routes statistics

 

 Advertised routes total: 1

# Display statistics about BGP IPv4 tunnel-encap-ext routes received from peer 2.2.2.2.

<Sysname> display bgp routing-table ipv4 tnl-encap-ext peer 2.2.2.2 received-routes statistics

 

 Received routes total: 1

Table 5 Command output

Field	Description
Advertised routes total	Total number of routes advertised to the peer.
Received routes total	Total number of routes received from the peer.

 

# Display statistics about BGP IPv4 tunnel-encap-ext routes.

<Sysname> display bgp routing-table ipv4 tnl-encap-ext statistics

 

 Total number of routes: 4

Table 6 Command output

Field	Description
Total number of routes	Total number of BGP IPv4 tunnel-encap-ext routes.

‌

 

display sdwan peer-connection status

Use display sdwan peer-connection status to display SSL connection status on a CPE.

Syntax

display sdwan peer-connection status [ system-ip system-ip-address ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

system-ip system-ip-address: Specifies an SDWAN server by its system IP address. If you do not specify an SDWAN server, this command displays status information for all SSL connections on the device.

Examples

# Display status information for all SSL connections on the device.

<Sysname> display sdwan peer-connection status

System IP        Peer IP          Peer port  VPN instance                     Status

1.1.1.10         172.1.1.2        1234                                        Connected

Table 7 Command output

Field	Description
System IP	System IP address of an SDWAN server.
Peer IP	IP address of the SDWAN server.
Peer port	TCP port number that the SDWAN server is listening to.
VPN instance	VPN instance of the SDWAN server. This field is empty if the SDWAN server is on the public network.
Status	SSL connection state: ·     Init. ·     Connecting. ·     Connected. ·     Close.

 

Related commands

display sdwan server status

sdwan server

display sdwan server status

Use display sdwan server status to display SDWAN server status on an RR.

Syntax

display sdwan server status

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display SDWAN server status on an RR.

<Sysname> display sdwan server status

SDWAN server: Enabled

SDWAN server listening port: 10030

Table 8 Command output

Field	Description
SDWAN server	SDWAN server state: ·     Enabled. ·     Disabled.
SDWAN server listening port	TCP port number that the SDWAN server is listening to.

 

Related commands

sdwan server enable

sdwan server port

display sdwan site-tte

Use display sdwan site-tte to display transport tunnel endpoint (TTE) information on an SDWAN device.

Syntax

display sdwan site-tte [ site-id site-id ] [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

site-id site-id: Specifies a site by its ID, in the range of 1 to 65535. If you do not specify a site, the command displays TTE information for all sites.

verbose: Displays detailed TTE information for sites. If you do not specify this keyword, the command displays brief TTE information for sites.

Examples

# Display brief TTE information for all sites.

<Sysname> display sdwan site-tte

Site ID: 20 (local)

Total number of TTEs: 1

***************************************************************

DevID   SysIP           IfID   Status   Encap    NAT      SA        RDID          TNID

20      1.1.1.9         20     UP       UDP      Disabled Disabled  rda           tna

Site ID: 10

Total number of TTEs: 2

***************************************************************

DevID   SysIP           IfID   Status   Encap    NAT      SA        RDID          TNID

10      1.1.1.10        30     UP       UDP      Disabled Disabled  rda           tna

10      1.1.1.10        40     UP       UDP      Disabled Disabled  rda           tnb

Table 9 Command output

Field	Description
Site ID	Site ID. If (local) is displayed next to the site ID, the site is the local site.
Total number of TTEs	Total number of TTEs at the site.
Sys IP	System IP address of the device.
IfID	SDWAN tunnel interface ID.
Status	TTE state: ·     Published—The device has advertised local TTE information to other SDWAN devices. ·     Unpublished—The device has not advertised local TTE information.
Encap	SDWAN tunnel encapsulation method. The value is UDP, which represents UDP encapsulation.
NAT	NAT state: ·     Enabled. ·     Disabled. ·     N/A—The state is unknown.
SA	SA state: ·     Enabled. ·     Disabled. ·     NA—The state is unknown.
RDID	Routing domain ID of the TTE.
TNID	Transport network ID of the TTE.

 

# Display detailed TTE information for site 20.

<Sysname> display sdwan site-tte site-id 20 verbose

Site ID: 20 (local)

Site name: fenzhi

Site role: CPE

Device ID: 20

System IP: 1.1.1.9

Interface ID: 20

Interface name: Tunnel10

Status: UP

Encapsulation protocol: UDP

Encapsulation port: 3000

Tunnel destination VPN index: 0

Transport destination VPN index: 0

NAT: Disabled

NAT type: -

NAT public IP: -

NAT Public Port: -

SA: Disabled

Routing domain: rda (10)

Transport network: tna (10)

Out physical interface: GigabitEthernet0/0/3

Out physical interface IP: 172.1.1.1

Table 10 Command output

Field	Description
Site ID	Site ID. If (local) is displayed next to the site ID, the site is the local site.
Site role	Device role: ·     CPE. ·     RR—Route reflector. ·     NAT-transfer.
Interface ID	SDWAN tunnel interface ID.
Interface name	SDWAN tunnel interface name.
Status	TTE state: ·     Published. ·     Unpublished.
Encapsulation protocol	SDWAN tunnel encapsulation method. The value is UDP, which represents UDP encapsulation.
Encapsulation port	Source UDP port number in SDWAN tunneled packets.
NAT	NAT state: ·     Enabled. ·     Disabled. ·     NA—The state is unknown.
NAT type	NAT type: ·     Full Cone NAT. ·     Restricted Cone NAT. ·     Port Restricted Cone NAT. ·     Symmetric NAT. ·     NO NAT. The NAT type is unknown if this field displays a hyphen (-).
NAT public IP	Public IP address after NAT.
NAT Public Port	TCP port number after NAT.
SA	SA state: ·     Enabled. ·     Disabled. ·     NA—The state is unknown.
Routing domain	Routing domain name and ID of the TTE, in the format of domain-name (domain-id).
Transport network	Transport network name and ID of the TTE, in the format of network-name (network-id).
Out physical interface	Local physical output interface of the TTE.
Out physical interface IP	IP address of the local physical output interface for the TTE.

 

Related commands

display sdwan tte connection

display sdwan tte connection

Use display sdwan tte connection to display TTE connection information on the device.

Syntax

display sdwan tte connection [ site-id site-id | system-ip system-ip-address ] [ reachable | unreachable ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

site-id site-id: Specifies a remote site by its ID, in the range of 1 to 65535. If you do not specify a remote site, this command displays TTE connection information for all sites.

system-ip system-ip-address: Specifies a remote device by its system IP address. If you do not specify a system IP address, this command displays TTE connection information for all system IP addresses.

reachable: Displays TTE connections reachable to system IP addresses.

unreachable: Displays TTE connections unreachable to system IP addresses.

Usage guidelines

If you do not specify the reachable or unreachable keyword, this command displays both TTE connections reachable to system IP addresses and TTE connections unreachable to system IP addresses.

Examples

# Display information about all TTE connections on the device.

<Sysname> display sdwan tte connection

SiteID/DevID/SysIP         Source IP/port/IfID        Destination IP/port/IfID

******************************************************************************

10/10/1.1.1.10             172.1.1.1/3000/20          172.1.1.2/3000/30

Number of connections: 1

Table 11 Command output

Field	Description
SiteID	Site ID of a peer device.
DevID	Device ID of the peer device.
SysIP	System IP of the peer device.
Source IP	Source IP address in SDWAN tunneled packets.
port	TCP port number in SDWAN tunneled packets.
IfID	SDWAN tunnel interface ID.
Destination IP	Destination IP address in SDWAN tunneled packets.
Number of connections	Number of TTE connections.

 

Related commands

display sdwan site-tte

reset sdwan tte connection

evpn sdwan routing-enable

Use evpn sdwan routing-enable to enable EVPN to advertise SDWAN routes.

Use undo evpn sdwan routing-enable to disable EVPN from advertising SDWAN routes.

Syntax

evpn sdwan routing-enable

undo evpn sdwan routing-enable

Default

EVPN does not advertise SDWAN routes.

Views

VPN instance IPv4 address family view

Predefined user roles

network-admin

Usage guidelines

This command enables the device to advertise VPN routes as BGP EVPN IP prefix advertisement routes in SDWAN encapsulation to peers. When the device receives BGP EVPN IP prefix advertisement routes in SDWAN encapsulation from the peers, it adds the routes to the routing table of the VPN instance.

Use this command in conjunction with the peer advertise encap-type sdwan command executed in BGP EVPN address family view.

Examples

# In IPv4 address family view of VPN instance vpna, enable EVPN to advertise SDWAN routes.

<Sysname> system-view

[Sysname] ip vpn-instance vpna

[Sysname-vpn-instance-vpna] address-family ipv4

[Sysname-vpn-ipv4-vpna] evpn sdwan routing-enable

Related commands

peer advertise encap-type sdwan

reset sdwan tte connection

Use reset sdwan tte connection to clear SDWAN TTE connections.

Syntax

reset sdwan tte connection [ interface interface-type interface-number [ site-id site-id device-id device-id interface-id interface-id ] ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies an SDWAN tunnel interface by its type and number. If you do not specify an SDWAN tunnel interface, this command clears TTE connections for all SDWAN tunnel interfaces.

site-id site-id device-id device-id interface-id interface-id: Specifies an interface on a device at a site. The site-id argument represents the site ID, in the range of 1 to 65535. The device-id argument represents the device ID, in the range of 1 to 255. The interface-id argument represents the interface ID, in the range of 1 to 255. If you do not specify this option, the command clears all TTE connections for the specified SDWAN tunnel interface.

Usage guidelines

Clearing the TTE connections to a remote device also deletes the routes destined for the system IP address of that remote device. As a result, data packet forwarding is interrupted.

Clearing TTE connections between a CPE and an RR also interrupts the BGP sessions between them.

Examples

# Clear TTE connections for SDWAN tunnel interface Tunnel 1.

<Sysname> reset sdwan tte connection interface tunnel 1

Related commands

display sdwan tte connection

peer advertise encap-type sdwan

Use peer advertise encap-type sdwan to enable advertisement of EVPN routes in SDWAN encapsulation to a peer or peer group.

Use undo peer advertise encap-type sdwan to disable advertisement of EVPN routes in SDWAN encapsulation to a peer or peer group.

Syntax

peer { group name | ipv4-address [ mask-length ] } advertise encap-type sdwan

undo peer { group name | ipv4-address [ mask-length ] } advertise encap-type sdwan

Default

BGP does not advertise EVPN routes in SDWAN encapsulation to a peer or peer group.

Views

BGP EVPN address family view

Predefined user roles

network-admin

Parameters

group-name: Specifies a peer group by its name, a case-sensitive string of 1 to 47 characters. The peer group must already exists.

ipv4-address: Specifies a peer by its IPv4 address. The peer must already exists.

mask-length: Specifies a mask length in the range of 0 to 32. To specify a subnet, you must specify both the ipv4-address and mask-length arguments.

Usage guidelines

Use this command on CPEs and RRs. On a CPE, use this command in conjunction with the evpn sdwan routing-enable command executed in VPN instance IPv4 address family view.

Examples

# Configure BGP to advertise EVPN routes in SDWAN encapsulation to peer 1.1.1.1.

<Sysname> system-view

[Sysname] bgp 100

[Sysname-bgp-default] address-family l2vpn evpn

[Sysname-bgp-default-evpn] peer 1.1.1.1 advertise encap-type sdwan

Related commands

evpn sdwan routing-enable

 

sdwan device-id

Use sdwan device-id to assign an ID to the device.

Use undo sdwan device-id to restore the default.

Syntax

sdwan device-id device-id

undo sdwan device-id

Default

No ID is assigned to the device.

Views

System view

Predefined user roles

network-admin

Parameters

device-id: Specifies an ID for the device, in the range of 1 to 255.

Usage guidelines

The device ID uniquely identifies the device at a site.

Examples

# Assign ID 2 to the device.

<Sysname> system-view

[Sysname] sdwan device-id 2

The current configuration will lead to offline. Are you sure? [Y/N]:

Related commands

display sdwan site-tte

sdwan encapsulation global-udp-port

Use sdwan encapsulation global-udp-port to specify a global source UDP port number for SDWAN tunneled packets in UDP encapsulation mode.

Use undo sdwan encapsulation global-udp-port to restore the default.

Syntax

sdwan encapsulation global-udp-port port-number

undo sdwan encapsulation global-udp-port

Default

The global source UDP port number is 4799 for SDWAN tunneled packets.

Views

System view

Predefined user roles

network-admin

Parameters

port-number: Specifies a global source UDP port number for SDWAN tunneled packets, in the range of 1 to 65535. As a best practice, do not specify a known port number in the range of 1 to 1023.

Usage guidelines

All devices that belong to the same SDWAN routing domain must use the same source UDP port number.

You can specify a source UDP port number for SDWAN tunneled packets both in system view and in tunnel interface view.

·     The source UDP port number specified in system view applies to all SDWAN tunnel interfaces.

·     The source UDP port number specified in tunnel interface view applies only to one tunnel interface.

For a tunnel interface, the source UDP port number specified in tunnel interface view takes precedence over that specified in system view. If no source UDP port number is specified in tunnel interface view, the source UDP port number specified in system view applies.

Examples

# Specify port number 5000 as the global source UDP port number for SDWAN tunneled packets.

<Sysname> system-view

[Sysname] sdwan encapsulation global-udp-port 5000

Related commands

display sdwan site-tte

sdwan encapsulation udp-port

sdwan encapsulation udp-port

Use sdwan encapsulation udp-port to specify a source UDP port number for SDWAN tunneled packets in UDP encapsulation mode.

Use undo sdwan encapsulation udp-port to restore the default.

Syntax

sdwan encapsulation udp-port port-number

undo sdwan encapsulation udp-port

Default

The source UDP port number for SDWAN tunneled packets is the global source UDP port number for SDWAN tunneled packets.

Views

Tunnel interface view

Predefined user roles

network-admin

Parameters

port-number: Specifies a source UDP port number in the range of 1 to 65535. As a best practice, do not specify a known port number in the range of 1 to 1023.

Usage guidelines

All devices that belong to the same SDWAN routing domain must use the same source UDP port number.

You can specify a source UDP port number for SDWAN tunneled packets both in system view and in tunnel interface view.

·     The source UDP port number specified in system view applies to all SDWAN tunnel interfaces.

·     The source UDP port number specified in tunnel interface view applies only to one tunnel interface.

For a tunnel interface, the source UDP port number specified in tunnel interface view takes precedence over that specified in system view. If no source UDP port number is specified in tunnel interface view, the source UDP port number specified in system view applies.

Examples

# Specify 5000 as the source UDP port number of SDWAN tunneled packets.

<Sysname> system-view

[Sysname] interface tunnel 1 mode sdwan udp

[Sysname-Tunnel1] sdwan encapsulation udp-port 5000

Related commands

display sdwan site-tte

sdwan encapsulation global-udp-port

sdwan interface-id

Use sdwan interface-id to assign an interface ID to an SDWAN tunnel interface.

Use undo sdwan interface-id to restore the default.

Syntax

sdwan interface-id interface-id

undo sdwan interface-id

Default

No interface ID is assigned to an SDWAN tunnel interface.

Views

Tunnel interface view

Predefined user roles

network-admin

Parameters

interface-id: Specifies an interface ID for the SDWAN tunnel interface, in the range of 1 to 255.

Usage guidelines

The device supports multiple SDWAN tunnel interfaces. An interface ID uniquely identifies an SDWAN tunnel interface on the device.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Assign interface ID 10 to SDWAN tunnel interface Tunnel 1.

<Sysname> system-view

[Sysname] interface tunnel 1 mode sdwan udp

[Sysname-Tunnel1] sdwan interface-id 10

The input configuration will be written to the device, changes may cause device offline. Are you sure? [Y/N]:

Related commands

display sdwan site-tte

sdwan keepalive

Use sdwan keepalive to configure SDWAN keepalive settings.

Use undo sdwan keepalive to restore the default.

Syntax

sdwan keepalive interval interval [ retry retries ]

undo sdwan keepalive

Default

The keepalive interval is 10 seconds and the number of keepalive retries is 3 for an SDWAN tunnel.

Views

Tunnel interface view

Predefined user roles

network-admin

Parameters

interval interval: Specifies the interval between sending keepalive requests, in the range of 1 to 32767 seconds.

retry retries: Specifies the number of times that the device continues to send keepalive packets without response before the TTE connection state is changed to unreachable. The value range for the retries argument is 1 to 255 and the default value is 3.

Usage guidelines

After an SDWAN tunnel is established, the local device sends keepalive requests to the remote device over all the TTE connections on the tunnel interface at the specified keepalive interval.

·     If the local device receives a keepalive response from the remote device within a keepalive interval, it determines that a TTE connection is reachable to the remote device.

·     If the local device cannot receive a keepalive response from the remote device on a TTE connection within a keepalive interval, it resends a keepalive request. If the local device still cannot receive a response within the keepalive interval multiplied by keepalive retries, it determines that the TTE connection is unreachable to the remote device. The device no longer forwards packets through the TTE connection.

In an RIR-SDWAN network, set the keepalive interval within the range of 1 to 5 seconds as a best practice.

Examples

# On SDWAN tunnel interface 1, set the keepalive interval to 30 seconds and the number of keepalive retries to 5.

<Sysname> system-view

[Sysname] interface tunnel 1 mode sdwan udp

[Sysname-Tunnel1] sdwan keepalive interval 30 retry 5

sdwan routing-domain

Use sdwan routing-domain to specify a routing domain for an SDWAN tunnel.

Use undo sdwan routing-domain to restore the default.

Syntax

sdwan routing-domain domain-name id domain-id

undo sdwan routing-domain

Default

No routing domain is specified for an SDWAN tunnel.

Views

SDWAN tunnel interface view

Predefined user roles

network-admin

Parameters

domain-name: Specifies a routing domain by its name, a case-sensitive string of 1 to 31 characters. The string can contain only letters, digits, and dots (.).

domain-id: Specifies the ID of the routing domain, in the range of 1 to 65535.

Usage guidelines

Only CPEs and RRs that belong to the same routing domain can establish SDWAN tunnels with each other.

Examples

# Specify the routing domain named abc and with ID 2000 for SDWAN tunnel 1.

<Sysname> system-view

[Sysname] interface tunnel 1 mode sdwan udp

[Sysname-Tunnel1] sdwan routing-domain abc id 2000

Related commands

display sdwan site-tte

sdwan server

Use sdwan server to specify an SDWAN server on a CPE.

Use undo sdwan server to remove an SDWAN server from a CPE.

Syntax

sdwan server system-ip system-ip-address ip ip-address [ port port-number ] [ vpn-instance vpn-instance-name ]

undo sdwan server system-ip system-ip-address ip ip-address [ port port-number ] [ vpn-instance vpn-instance-name ]

Default

No SDWAN servers are specified on a CPE.

Views

System view

Predefined user roles

network-admin

Parameters

system-ip system-ip-address: Specifies an SDWAN server by its system IP.

ip ip-address: Specifies an SDWAN server by its IPv4 address. The IPv4 address must be reachable and must be on the RR where SDWAN server is enabled.

port port-number: Specifies a TCP port number used to establish connections with the SDWAN server. Make sure the port number is the same as the TCP listening port number configured for the SDWAN server on the RR. The value range for the port-number argument is 1 to 65535, and the default value is 2004.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the SDWAN server belongs. The vpn-instance-name argument represents the VPN instance name, which is a case-sensitive string of 1 to 31 characters. If the SDWAN server belongs to the public network, do not specify this option.

Usage guidelines

With this command, a CPE can act as an SDWAN client to establish an SSL connection with the specified SDWAN server (RR).

Repeat this command to specify multiple SDWAN servers on a CPE.

Examples

# On a CPE, specify the SDWAN server at 10.1.1.1 on the RR with system IP address 192.168.0.1.

<Sysname> system-view

[Sysname] sdwan server system-ip 192.168.0.1 ip 10.1.1.1

Related commands

display sdwan peer-connection status

sdwan server enable

Use sdwan server enable to enable SDWAN server on an RR.

Use undo sdwan server enable to disable SDWAN server on an RR.

Syntax

sdwan server enable

undo sdwan server enable

Default

SDWAN server is disabled on an RR.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Use this command only on an RR. With this command, the RR can listen to the CPEs for SSL connection requests and establish SSL connections with the CPEs. After SSL connection establishment, the CPEs advertise their local TTE and IPsec SA information to the RR and the RR advertises its local TTE and IPsec SA information to the CPEs. Then, the RR and CPEs can finish SDWAN tunnel establishment.

When you enable SDWAN server on an RR and the RR does not have a digital certificate, digital certificate request is triggered. It takes some time to request a digital certificate. For more information about digital certificates, see PKI configuration in Security Configuration Guide.

Examples

# Enable SDWAN server on an RR.

<Sysname> system-view

[Sysname] sdwan server enable

Please wait.........Done.

Related commands

display sdwan server status

sdwan ssl-server-policy

sdwan server port

Use sdwan server port to specify the TCP listening port number of the SDWAN server on an RR.

Use undo sdwan server port to restore the default.

Syntax

sdwan server port port-number

undo sdwan server port

Default

The SDWAN server on an RR listens to TCP port 2004.

Views

System view

Predefined user roles

network-admin

Parameters

port-number: Specifies a listening port number of the SDWAN server in the range of 1 to 65535.

Usage guidelines

This command is not supported in FIPS mode.

If SDWAN server has been enabled before you change the TCP port number, the system automatically restarts the SDWAN server after you change the TCP port number. Connections that have been established between CPEs and the SDWAN server are not lost. Connections being established between CPEs and the SDWAN server are lost. To reestablish the connections, you must specify the same TCP port number as the SDWAN server on the CPEs.

Examples

# Specify 3500 as the TCP listening port number of the SDWAN server on an RR.

<Sysname> system-view

[Sysname] sdwan server port 3500

Related commands

display sdwan server status

sdwan server enable

sdwan site-id

Use sdwan site-id to specify a site ID for the device.

Use undo sdwan site-id to restore the default.

Syntax

sdwan site-id site-id

undo sdwan site-id

Default

No site ID is specified for the device.

Views

System view

Predefined user roles

network-admin

Parameters

site-id: Specifies a site ID for the device, in the range of 1 to 65535.

Usage guidelines

A site ID uniquely identifies a customer site in an SDWAN network.

Examples

# Specify site ID 2 for the device.

<Sysname> system-view

[Sysname] sdwan site-id 2

The current configuration will lead to offline. Are you sure? [Y/N]:

Related commands

display sdwan site-tte

sdwan site-name

Use sdwan site-name to specify the name of the site to which the device belongs.

Use undo sdwan site-name to restore the default.

Syntax

sdwan site-name site-name

undo sdwan site-name

Default

No site name is specified for the device.

Views

System view

Predefined user roles

network-admin

Parameters

site-name: Specifies a site name for the device, a case-sensitive string of 1 to 255 characters.

Usage guidelines

A site name can describe the site location and functions. It facilitates users to identify the site in an SDWAN network. A site name does not uniquely identify a site. You can specify the same site name for multiple devices.

Examples

# Specify site name fenbu for the device.

<Sysname> system-view

[Sysname] sdwan site-name fenbu

Related commands

display sdwan site-tte

sdwan site-role

Use sdwan site-role to specify a site role for the device.

Use undo sdwan role to restore the default.

Syntax

sdwan site-role { cpe | nat-transfer | rr } *

undo sdwan site-role

Default

No site role is specified for the device.

Views

System view

Predefined user roles

network-admin

Parameters

cpe: Specifies the CPE role.

nat-transfer: Specifies the NAT transfer role.

rr: Specifies the route reflector (RR) role.

Usage guidelines

IMPORTANT: A site role change will cause SDWAN tunnel flapping and interrupt ongoing services. As a best practice, plan role configuration before you deploy the SDWAN network.

 

SDWAN supports the following site roles:

·     CPE—Customer-side SDWAN tunnel endpoints.

·     RR—Used to reflect TTE information and private routes among CPEs.

·     NAT transfer—Used to establish forwarding paths for CPEs that must pass through NAT devices over the public network for intercommunication.

You must specify the same site role for all SDWAN devices at the same site.

Examples

# Specify site role CPE for the device.

<Sysname> system-view

[Sysname] sdwan site-role cpe

The configuration will be written to the device, changes may cause device offline. Are you sure? [Y/N]:

Related commands

display sdwan site-tte

sdwan ssl-server-policy

Use sdwan ssl-server-policy to specify an SSL server policy on an RR for the RR to establish SSL connections with CPEs (SDWAN clients).

Use undo sdwan ssl-server-policy to restore the default.

Syntax

sdwan ssl-server-policy policy-name

undo sdwan ssl-server-policy

Default

No SSL server policy is specified on an RR for the RR to establish SSL connections with CPEs (SDWAN clients).

Views

System view

Predefined user roles

network-admin

Parameters

policy-name: Specifies an SSL server policy by its name, a case-sensitive string of 1 to 31 characters.

Usage guidelines

With this command, an RR uses the specified policy to establish SSL connections with CPEs. After SSL connection establishment, the CPEs advertise their local TTE and IPsec SA information to the RR and the RR advertises its local TTE and IPsec SA information to the CPEs. Then, the RR and the CPEs can finish SDWAN tunnel establishment.

Only one SSL server policy can be applied to an SSL connection. If you execute this command multiple times, the most recent configuration cannot take effect automatically. For the most recent configuration to take effect, you must execute the undo sdwan server enable command and then the sdwan server enable command to re-enable the SDWAN server.

For more information about SSL server policies, see SSL configuration in Security Configuration Guide.

If you do not specify an SSL server policy on an RR, the RR uses the self-signed certificate and the default settings of the SSL parameters to establish SSL connections with CPEs or the NAT transfer. The configuration is simple, but less secure.

Examples

# On an RR, specify SSL server policy CA_CERT for the RR to establish SSL connections with CPEs (SDWAN clients).

<Sysname> system-view

[Sysname] sdwan ssl-server-policy CA_CERT

Related commands

display sdwan server status

sdwan server enable

sdwan server port

sdwan ssl-client-policy

Use sdwan ssl-client-policy to specify an SSL client policy on a CPE for the CPE to establish SSL connections with RRs (SDWAN servers).

Use undo sdwan ssl-client-policy to restore the default.

Syntax

sdwan ssl-client-policy policy-name

undo sdwan ssl-client-policy

Default

No SSL client policy is specified on a CPE for the CPE to establish SSL connections with RRs (SDWAN servers).

Views

System view

Predefined user roles

network-admin

Parameters

policy-name: Specifies an SSL client policy by its name, a case-sensitive string of 1 to 31 characters.

Usage guidelines

Only one SSL client policy can be applied to an SSL connection. If you execute this command multiple times, the most recent configuration takes effect. Modification to this command does not affect existing SDWAN SSL connections. It takes effect only on the SDWAN SSL connections established after the modification.

For more information about SSL client policies, see SSL configuration in Security Configuration Guide.

Examples

# On a CPE, specify SSL client policy abc for the CPE to establish SSL connections with RRs (SDWAN servers).

<Sysname> system-view

[Sysname] sdwan ssl-client-policy abc

sdwan system-ip

Use sdwan system-ip to specify a system IP address for the device.

Use undo sdwan system-ip to restore the default.

Syntax

sdwan system-ip interface-type interface-number

undo sdwan system-ip

Default

No system IP address is specified for the device.

Views

System view

Predefined user roles

network-admin

Parameters

interface-type interface-number: Specifies an interface by its type and number. The primary IP address of the specified interface is used as the system IP address of the device.

Usage guidelines

The device uses the system IP address to set up BGP sessions with other devices. In an RIR scenario, the system IP address is also used as the inner destination IP address of probe packets sent by the NQA client in NQA link connectivity probes. For more information about RIR, see Layer 3—IP Routing Configuration Guide.

For this command to take effect, you must specify a loopback interface that has an IP address.

Examples

# Specify the primary IP address of Loopback 0 as the system IP address of the device.

<Sysname> system-view

[Sysname] sdwan system-ip loopback 0

Related commands

display sdwan site-tte

sdwan transport-network

Use sdwan transport-network to specify a transport network for an SDWAN tunnel.

Use undo sdwan transport-network to restore the default.

Syntax

sdwan transport-network network-name id network-id

undo sdwan transport-network

Default

No transport network is specified for an SDWAN tunnel.

Views

SDWAN tunnel interface view

Predefined user roles

network-admin

Parameters

network-name: Specifies a transport network by its name, a case-sensitive string of 1 to 31 characters. The string can contain only letters, digits, and dots (.).

network-id: Specifies the ID of the transport network, in the range of 1 to 65535.

Usage guidelines

An SDWAN tunnel interface is connected to a transport network. The transport network is uniquely identified by its name or ID.

Examples

# Specify a transport network named abc with ID 2000 for an SDWAN tunnel.

<Sysname> system-view

[Sysname] interface tunnel 1 mode sdwan udp

[Sysname-Tunnel1] sdwan transport-network abc id 2000

Related commands

display sdwan site-tte

sdwan vn-id

Use sdwan vn-id to specify a VN ID for a VPN instance.

Use undo sdwan vn-id to restore the default.

Syntax

sdwan vn-id vn-id

undo sdwan vn-id

Default

The VN ID is 0 for a VPN instance.

Views

VPN instance view.

Predefined user roles

network-admin

Usage guidelines

Packets from different tenants can be forwarded through the same SDWAN tunnel. To isolate the tenants, assign them to different VPN instances. Their packets will be distinguished according to the VN IDs of the VPN instances.

You can specify only one VN ID for a VPN instance in the current software version.

Examples

# Specify VN ID 123 for VPN instance vpna.

<Sysname> system-view

[Sysname] ip vpn-instance vpna

[Sysname-vpn-instance-vpna]  sdwan vn-id 123

Related commands

evpn sdwan routing-enable