Getting Started

October 2020
© 2020 CloudGenix, Inc. All Rights Reserved.

CloudGenix Customer Support

For technical issues, contact CloudGenix Customer Support.

Phone: 1-844-800-2469, Ext. 2

Email: support@[Link]

2
CLOUDGENIX | GETTING STARTED GUIDE

Preface
Welcome to the CloudGenix software-defined, wide area network (SD-WAN) solution.

The Getting Started Guide provides information on setting up, configuring, and monitoring the enterprise
wide area network (WAN). It is intended for network administrators and network managers who are
responsible for configuring, monitoring, and troubleshooting enterprise WANs.

It includes information on:

l Launching the portal.

l Adding sites and Instant-On Network (ION) devices.
l Claiming, assigning, and configuring the ION devices.
l Activating the branch and the data center.
l Monitoring network and application performance.

Related Documentation
In addition to this Guide, the CloudGenix documentation library includes the following:

l CloudGenix ION 1000 Installation Guide

l CloudGenix ION 2000 Installation Guide
l CloudGenix ION 3000 Installation Guide
l CloudGenix ION 7000 Installation Guide
l CloudGenix ION 9000 Installation Guide
l CloudGenix Quick Start Guide
l CloudGenix Virtual Form Factor Guide
l CloudGenix Network Policy Guide
l CloudGenix Stacked Policies Guide
l CloudGenix Device Toolkit Reference Guide
l CloudGenix Troubleshooting Alerts and Alarms Guide

3
CLOUDGENIX | GETTING STARTED GUIDE

Table of Contents
Introducing CloudGenix SD-WAN 5
Introducing CloudGenix Key Elements 6
Deploying CloudGenix SD-WAN 7
Launching the CloudGenix Portal 8
Working with the CloudGenix Portal 11
Deploying CloudGenix in the Analytics Mode 16
Setting Up Sites 17
Adding a Branch 18
Adding a Data Center 21
Setting Up Devices 23
Connecting the ION Device at a Branch Site 24
Claiming the ION Device 25
Assigning the ION Device 26
Configuring the ION Device 27
Deploying CloudGenix in the Control Mode 32
Connecting the ION 7000 or ION 9000 at a Data Center 33
Claiming the ION 7000 34
Assigning the ION 7000 35
Configuring the ION 7000 36
Switching Sites to Control Mode 39
Switching the Branch to Control Mode 40
Switching the Data Center to Control Mode 41
Monitoring Performance 42
Dashboard 43
Device to Controller Connectivity 44
Top Sites by Alarms 45
Link Quality Metrics 46
Activity Charts 48
Viewing Network Analytics 49
Viewing Real-Time Media Analytics 50
Viewing Link Quality Metrics 51
Viewing the Flow Browser 52
Viewing Routing Stats 53
Viewing System Metrics 54

4
CLOUDGENIX | GETTING STARTED GUIDE

Introducing CloudGenix SD-WAN

CloudGenix provides a software-defined, wide-area network (SD-WAN) solution that transforms legacy
wide area networks (WANs) into a radically simplified, secure, application fabric (AppFabric), virtualizing
heterogeneous underlying transports into a unified hybrid WAN. CloudGenix controls network application
performance based upon application-performance service level agreements (SLAs) and business priorities.

Through Instant-On Networks (IONs), CloudGenix simplifies how WANs are designed, built, and managed,
securely extending data center-class security to the network edge. With a centralized controller-based
model, CloudGenix leverages the x86 platform, enabling simple deployments at remote offices and data
centers. It provides:

l Granular application-driven views of the WAN.

l Robust policy and performance-based traffic management of the WAN.

5
CLOUDGENIX | GETTING STARTED GUIDE

Introducing CloudGenix Key Elements

The CloudGenix SD-WAN solution includes the following key elements:

Controller The controller, accessed through an intuitive, graphical user interface portal:

l Centralizes routing and builds a network of private and public WAN paths.

l Pushes WAN configuration to ION devices at a branch or data center through

APIs.

l Provides a centralized point of administration for policy as well as application

and network analytics.

l Enables secure, automated virtual private network (VPN) tunnels through zero
touch configuration.

ION Devices The ION devices enable combining of disparate WAN networks, such as MPLS, LTE,
and internet links, into a single, high-performance, hybrid WAN. They include the ION
3000, ION 7000, and the ION 9000.

ION A physical or virtual device that serves as a forwarding x86 commodity-based element
1000/2000/3000 at a branch.

l In the Analytics mode, it provides detailed information on network and

application traffic.

l In the Control mode, it makes path selections, security decisions, prioritizes

applications, and manages congestion based upon controller-programmed
policies, and reports application and network performance statistics to the
controller.

A physical or virtual device that serves as a forwarding x86 commodity-based element

at a branch or a data center. At a data center, an ION 7000 or 9000:
ION 7000/9000
l Connects to the data center Core and WAN Edge routers.

l Injects CloudGenix branch routes toward the core router to become the
preferred next hop, thereby guaranteeing path symmetry.

l Attracts traffic sourced from or destined to CloudGenix branches, leading to

seamless, non-disruptive integration between SD-WAN and non-SD-WAN
branches.

6
CLOUDGENIX | GETTING STARTED GUIDE

Deploying CloudGenix SD-WAN

CloudGenix may be deployed in one of two modes – Analytics mode or Control mode.

l In the Analytics mode, the branch ION device sits in-path, between a branch router and a LAN
switch. It monitors traffic, but does not apply policies or make path selection decisions for applications.
In this mode, a data center site is not required.

l In the Control mode, the branch ION device sits in-path, between a branch router and a LAN switch
or replaces the router at a branch. It forwards traffic, selects the best path available, and applies
security and Quality of Service (QoS) policies. In this mode, an ION 7000 in the data center is
required if the intent is to enable a virtual private network (VPN) between a branch and a data
center.

Now that you have been introduced to the CloudGenix solution, its key elements and deployment options,
proceed to deploying CloudGenix SD-WAN in your environment.

This Guide will assist you with launching the CloudGenix portal and working through the portal to have your
CloudGenix SD-WAN up and running within minutes!

7
CLOUDGENIX | GETTING STARTED GUIDE

Launching the CloudGenix Portal

The CloudGenix portal is the starting point and the only interface you need for all network-related tasks and
activities for your enterprise. Through the portal, you can:

l Set up, administer, monitor, and troubleshoot sites, devices, networks, and applications.

l Monitor application performance on all networks.

l Control and secure applications and networks through network and security policies.

l Isolate and troubleshoot issues within the network through alerts and alarms.

As a new customer, you will receive the following from CloudGenix:

l Login ID and password to access the CloudGenix portal.

l ION devices for the branch office and/or the data center.

To launch the CloudGenix portal:

l Enter the CloudGenix administrator-provided password.

l Enter a new password of your choice, confirm the password, and select Finish Signup.

l Read and Agree to the End User License Agreement to launch the CloudGenix portal.

8
CLOUDGENIX | GETTING STARTED GUIDE

After you enter the new password and log in to the CloudGenix portal, you must agree to the terms and
conditions mentioned in the End User License Agreement to launch the CloudGenix portal. This agreement
is valid for one (1) year.

9
CLOUDGENIX | GETTING STARTED GUIDE

From here, you can access your enterprise WAN, your applications, and all the application network and
security policies. For future access to the portal, go to [Link]

10
CLOUDGENIX | GETTING STARTED GUIDE

Working with the CloudGenix Portal

The CloudGenix portal contains six key tabs to configure, monitor, and troubleshoot your wide area network
and its applications – Dashboard, Map, Policies, Activity, Reports, CloudBlades. In addition, the
icon on the portal provides alerts and alarms for troubleshooting the network.

Below is a brief description of each tab on the portal.

Tabs Description

Dashboard Provides analytical information at a glance and visibility into the device connectivity
status and link quality metrics of all your secure fabric links between the various sites.
See "Monitoring Performance" on page 42 for more information on the dashboard.

Map Provides a view of the Topology, Sites, Claimed Devices, and Unclaimed Devices.
Enables configuration of branches, data centers, and devices, including the ION
1000, ION 2000, ION 3000, ION 7000, and the ION 9000.

Policies Enables setting up of network policies and stacked policies for enterprise applications,
which include Path, Quality of Service (QoS), and Network Address Translation
(NAT) policy sets and policy set stacks containing Path, QoS, and NAT policy rules
respectively. Also, enables setting of security policy sets containing security policy
rules for an enterprise.

Activity Provides a view of the network and individual applications through network analytics,
media analytics, link quality, flow browser, routing statistics, and system information
related charts.

Reports Provides auto-generated report packages, enabling IT administrators an insight into

the health, security, and performance of their WAN network and applications.

11
CLOUDGENIX | GETTING STARTED GUIDE

Tabs Description

CloudBlades Enables cloud delivered infrastructure at the branch with one click service integration.

User Name Displays user profile, user administration, system administration, notifications, link to
documentation, and logout option.

Alerts and Displays alerts and alarms in the system for all WAN-related issues.
Alarms

For each user, on all the Map pages (Topology, Sites, Claimed, and Unclaimed Devices), any filters and
Map settings applied including the stoplight color preferences, will be retained and persist across sessions
with the controller user interface. The blue badge on top of the filter icon is a visual indicator that a filter
criterion has been set, with the number indicating how many filters have been applied.

The MAP Settings provide different viewing options. On the Map, a Site's status color can be changed from
the default to be viewed by connectivity. Each site's connectivity is computed based on the status of its VPN
overlay connections. The Stoplight color option enables viewing sites on the map in two different [Link]
default option is to view by the Alarm status for the site.

When Site Connectivity is selected from MAP Settings, a Summary Indicator Bar appears on the top
of the screen. Click on the color bar for a graphical view of the site connectivity summary. From the graphical
view, click a color in the chart legend to navigate directly to the filtered site list. For example, to view sites
with full connectivity, click Green.

12
CLOUDGENIX | GETTING STARTED GUIDE

When a Branch site or Data Center is selected from the Map screen, it provides the site summary and
details of the overlay connections in a full screen experience.

The Summary tab provides details on the selected site. For example, you can view the Connectivity, Mode,
Domain, Attached Policies, Internet Circuits, Private WAN Circuits, Devices, DHCP Scopes, and IP
Prefixes associated with the site.

13
CLOUDGENIX | GETTING STARTED GUIDE

For a branch site, the Advanced option allows you to bind Security Zones, manage HA Groups, and
configure Ciphers. For a datacenter site, the Advanced tab allows you to configure Ciphers and manage
Data Center in policy rules.

The Overlay Connections tab provides a graphical view of the overlay connectivity status for the site. It
displays the status of the secure fabric links of each connected site with its corresponding data center or
branch as well as third party tunnel status. You can add a new secure fabric link from the same screen.

14
CLOUDGENIX | GETTING STARTED GUIDE

15
CLOUDGENIX | GETTING STARTED GUIDE

Deploying CloudGenix in the Analytics Mode

CloudGenix SD-WAN may be deployed in the Analytics mode with a few simple clicks. In this mode, the
ION device sits in-path, between a branch router and a LAN switch. It monitors traffic, but will not apply
policies or make any path selection decisions for applications. In this mode, a data center site is not
required.

To deploy CloudGenix SD-WAN in the Analytics mode, begin by setting up your branch sites and
assigning and configuring the ION devices for your branch sites.

16
CLOUDGENIX | GETTING STARTED GUIDE

Setting Up Sites
Sites include branch offices and data centers that you wish to include in your wide area network. They can
be created before or after the ION devices arrive at a given site. A branch is where your users and services
are located, and a data center is where your enterprise applications and services are hosted. When a site is
created, its icon will display on the map and the site will be disabled by default.

After ION devices are assigned to a branch or a data center, a branch may be set up to monitor traffic, or a
branch and a data center may be activated to route, forward, and monitor network and application traffic.

Begin by adding sites, and designating them as a branch or a data center. You can create just a branch, just
a data center, or both. At least one branch site and one ION device are required as a part of your initial
setup.

17
CLOUDGENIX | GETTING STARTED GUIDE

Adding a Branch
Typically, a branch or remote office is where all the users are located. An enterprise may have one or more
branches within a network. As part of creating a branch, you will select a default domain and policy set, set
up WAN networks, circuit categories, circuit labels, and circuit specifications.

To add a branch:

1. From the portal, select MAP.

2. From MAP, click to add a site. The Site creation wizard will display.

3. Enter basic information for the site and click Next.

18
CLOUDGENIX | GETTING STARTED GUIDE

4. From the Type tab, select Branch to configure a branch site. By default, a preset domain will display
for a branch site. Select Next. At this point, simply move on to the Policies.

5. The Policies will display the default policy set. Select Next.

6. Next, proceed to configuring circuits for the site. Circuit categories are used in policy rules to identify
paths allowed for an application. By default, there are a few pre-defined circuit categories in the
system that you may use when configuring your site. You can edit these labels or rename any of the
remaining categories through Circuit Categories under Stacked Policies or Network Policies
(Original).

On the Circuits, configure circuit categories as follows.

a. First, to configure an Internet circuit, select Add Circuit.

b. Next, choose a circuit and the name of the internet service provider from the drop-down lists.
This step is required.

c. Next, edit your Circuit by clicking Edit for a circuit. In the Circuit Information pop-up:

i. Add a name and description for the circuit.

ii. Enter the LINK DOWN and LINK UP speed.

iii. For Bandwidth Configuration, leave the default as manual.

iv. For Bidirectional Forwarding Detection (BFD) Mode, select aggressive or non-
aggressive.

i. Aggressive – Choose aggressive for fast failure detection of links. This mode is
the default mode and is recommended by CloudGenix.

ii. Non-aggressive – Choose non-aggressive when you want to reduce the amount
of probe traffic, or for links that are subjected to high loss or poor quality.

l Enable BW Monitoring if you would like ongoing measurement of link capacity. BW

Monitoring is enabled by default.

l Enable QoS if you would like to enable shaping and queuing of traffic as defined in your
application policy rules.

l Enable LQ Monitoring if you would like ongoing measurement of link quality, such as
latency, loss, and jitter. LQM is enabled by default on branch to data center paths.

v. By default, Cost for a circuit is defined as 128. Leave in the default cost and select Done.

d. To add a Private WAN Circuit, click Add Circuit. Select a circuit category from the list of 32
circuit category options. This step is required.

19
CLOUDGENIX | GETTING STARTED GUIDE

e. Next, click Edit to edit the Private WAN Circuit.

f. Similar to editing internet circuits, edit Circuit Information for the private WAN and select Save.

g. To add another network, select Add Circuit, repeat the above steps and click Save.

7. Click Next to navigate to the Summary.

8. Check the information displayed and then click Save & Exit.

Congratulations! The branch is now created in your network.

Note:

l The IP prefixes can be defined when you assign a device to a site and configure the device.

l Optionally, through Options, you may configure Security Zone Binding, configure DHCP servers,
add a Secure Fabric Link for branch-to-branch VPNs and configure Ciphers.

Now that you have created a site and configured circuits, proceed to setting up the branch in the
Analytics mode to monitor and capture network and application information.

In the Analytics mode, CloudGenix will begin to monitor traffic as soon as the ION device is online,
claimed, assigned, and configured for the branch site. In addition, it will begin to capture analytics
even without an active data center.

To set the Site in the Analytics Mode:

a. From Map > Sites, select a site.

b. Click and select Switch to Analytics Mode.

20
CLOUDGENIX | GETTING STARTED GUIDE

Adding a Data Center

In the Analytics mode, a data center is not required. However, most environments include a data center
where all business applications are hosted. If your network includes a data center, you may add one as
shown below.

To add a Data Center:

1. From the portal, select MAP > Sites.

2. Click to add a site. The Site creation wizard will display.

3. Enter basic information for the site and click Next.

4. On the Type tab, select Data Center to configure a data center site. Select Next. At this point, move
on to the Policies.

5. The Policies will display the default policy set. Select Next.

6. Next, proceed to configuring circuits for the site. Circuit categories are used in policy rules to identify
paths allowed for an application. By default, there are a few pre-defined circuit categories in the
system that you may use when configuring your site. You can edit these labels or rename any of the
remaining categories through Circuit Categories under Stacked Policies or Network Policies
(Original).

On the Circuits, configure circuit categories as follows.

a. First, to configure an Internet circuit, select Add Circuit.

b. Next, choose a circuit and the name of the internet service provider from the drop-down lists.
This step is required.

21
CLOUDGENIX | GETTING STARTED GUIDE

c. Next, edit your Circuit by clicking Edit for a circuit. In the Circuit Information pop-up:

i. Add a name and description for the circuit.

ii. Enter the LINK DOWN and LINK UP speed.

iii. For Bandwidth Configuration, leave the default as manual.

iv. For Bidirectional Forwarding Detection (BFD) Mode, select aggressive or non-
aggressive.

i. Aggressive – Choose aggressive for fast failure detection of links. This mode is
the default mode and is recommended by CloudGenix.

ii. Non-aggressive – Choose non-aggressive when you want to reduce the amount
of probe traffic, or for links that are subjected to high loss or poor quality.

l Enable BW Monitoring if you would like ongoing measurement of link capacity. BW

Monitoring is enabled by default.

l Enable QoS if you would like to enable shaping and queuing of traffic as defined in your
application policy rules.

l Enable LQ Monitoring if you would like ongoing measurement of link quality, such as
latency, loss, and jitter. LQM is enabled by default on branch to data center paths.

v. By default, Cost for a circuit is defined as 128. Leave in the default cost and select Done.

d. To add a Private WAN Circuit, click Add Circuit. Select a circuit category from the list of 32
circuit category options. This step is required.

e. Similar to editing internet circuits, edit Circuit Information for the private WAN and select Save.

f. To add another network, select Add network, repeat the above steps and click Save.

7. Click Next to navigate to the Summary. Check the information displayed and then click Save & Exit.

Congratulations! The data center is now created in your network.

Note:

You do not need to activate your data center at this time. Activate your data center only when you wish to
deploy CloudGenix in the Control mode. When both the branch and the data center are activated, VPN
tunnels will be created automatically between the branch and the data center.

22
CLOUDGENIX | GETTING STARTED GUIDE

Setting Up Devices
Devices include the ION 1000, ION 2000, ION 3000, ION 7000, and ION 9000 that you insert in a branch or
a data center to communicate with the controller. These devices, as mentioned before, can be physical or
virtual devices.

23
CLOUDGENIX | GETTING STARTED GUIDE

Connecting the ION Device at a Branch Site

When physical ION devices are allocated to a customer, they will display on the CloudGenix portal under
Devices as Unclaimed and Offline. When virtual ION devices are added to the system and licensed, they
will display on the portal as Unclaimed and Online-Restricted.

l Unclaimed indicates that the device is available in the inventory, but has not been claimed.

l Offline indicates that the device is not yet communicating with the CloudGenix controller.

l Online-Restricted means that the device is communicating with the CloudGenix controller, but has
not yet been claimed.

The first step is to enable communication with the CloudGenix controller. To enable an ION device to
communicate with the controller:

1. Connect the controller port of the ION device to a LAN switch in a subnet that has access to the
internet. By default, this port is DHCP-enabled. However, if static IP is required, you may configure it
by connecting to the console port on the ION device.

2. Connect the ION device internet port to the internet, so you can view statistics and logs in the
Analytics mode. In this mode, the ION device will send statistics to the CloudGenix controller through
an internet port. Therefore:

o Connect the internet port directly to the internet, such as through a cable modem router.

o Or, if no local internet connection is available, connect to any network that has internet
connectivity, such as a user subnet.

As the ION device is pre-configured with DHCP, it is already registered with the controller. When a secure
connection with the controller is established, the controller will authenticate the device and change the
device state from Offline to Online. However, before the device can begin monitoring or forwarding traffic,
you must claim the device, assign it to a site, and configure the ports on the device. Proceed to claiming the
device.

24
CLOUDGENIX | GETTING STARTED GUIDE

Claiming the ION Device

Devices visible in your inventory are available for you to claim and then assign to sites. The claim process
authenticates and legitimizes the devices on each site. The devices will come online with enough knowledge
to connect with the CloudGenix controller in the appropriate customer context and start forwarding flows.

To claim devices:
1. From the portal, select MAP > Unclaimed Devices. A list of unclaimed devices in your inventory will
display.

2. Hover to the right of the device and under State, select the icon.

3. From the drop-down list, choose Claim the device and click OK.

4. Repeat the above claim process for all additional devices on your site.

Upon completion of the claim process, all customer-specific certificates will be downloaded to the device.
Briefly, during this period, the device will go offline. When it comes back online, the State of the device will
change to Claimed and Online.

25
CLOUDGENIX | GETTING STARTED GUIDE

Assigning the ION Device

Now that the branch office is in the Monitor mode, you may begin to assign devices to the branch site.
Assigning a device simply means that you are associating it with a specific branch site. The steps below
include sample screens of the ION 3000 and ION 3000v devices. With the exception of ports on the physical
and virtual devices, the steps to assign and configure the devices are identical.

To assign a device to a branch:

1. From MAP, select Claimed Devices.

2. Under State, select the icon. A drop-down list will display.

3. Select Assign to a site to assign the device to a site.

4. Enter the name of the branch site, or select the branch site to associate with the device from the list of
sites.

5. Select Done. The device assignment will occur in the background.

26
CLOUDGENIX | GETTING STARTED GUIDE

Configuring the ION Device

Configure the branch ION device to connect to the internet and a private network. By default, the following
ports have hardware bypass capability and may be set to fail, open or closed:

l Ports 4/5 on the ION 2000.

l All LAN/WAN ports on the ION 3000.

l Ports 5/6 and 7/8 on the ION 7000.

l Ports 1/2, 3/4, 5/6, 7/8 on the ION 9000.

Before you configure the device, gather the following information:

l Internet port IP address, subnet mask, and default gateway address.

l Optionally, if the device is behind a firewall, details on NAT IPs may be required.

l LAN subnets and their VLAN IDs (if applicable) that you would like CloudGenix to control.

To configure the ION device:

1. Select MAP > Claimed Devices and then select the device you wish to configure.

2. Click and select Configure the device. The device configuration screen will display.

3. On the Basic Info screen:

a. Begin with entering a name and an optional description for the device. The ION device model,
redundancy mode, serial number, and software version will display automatically.

For a branch site:

b. For Enable L3 Direct Private WAN Forwarding, toggle Yes or No. By default, BGP
configuration will use a bypass pair for private WAN underlay traffic. If an L3 interface is used,
an administrator must explicitly enable L3 Direct Private WAN Forwarding for the private WAN
underlay.

c. For Enable L3 LAN Forwarding, toggle Yes or No. Yes indicates that traffic forwarding to
and from LAN interfaces is enabled. Note that in order to activate Enable L3 LAN
Forwarding, Enable L3 Direct Private WAN Forwarding must be enabled.

d. For Application Reachability Probe, toggle Disabled or Enabled. Prior to Release 5.4.1,
Application Reachability Probe was enabled by default and it used the Controller port as the
probe source interface. Starting with Release 5.4.1, this feature can be enabled or disabled for
a LAN port configured as the probe source interface. In case the probe source interface is not
configured, then the Controller port will be used as the source interface for the probe.

27
CLOUDGENIX | GETTING STARTED GUIDE

e. Click create an HA group, to create an ION device cluster if needed. For more information,
see CloudGenix Branch High Availability.

For a data center site:

a. For Force VPN to VPN Traffic to Local Next Hop, toggle Yes or No. For a device assigned
to a Data Center site, CloudGenix now enables forcing VPN-to-VPN traffic to the local next
hop in the Data Center. The default value is No.

4. Select Device Toolkit to enable device session access.

a. For Enable Device Session Access, toggle Yes.

b. For Enable Outbound SSH, toggle Yes if you want to use the device toolkit to SSH from an
ION device to another device within your enterprise network. The default value is No.

c. Change values for Inactive Interval, Retry Login Count and Account Disabled Interval if
needed.

5. Select Interface Config and then proceed to configure the controller ports, internet ports, and the
WAN/LAN ports.

Controller ports

Starting with Release 5.2.1, two controller ports can be configured on an ION device. When a virtual
interface is configured, the two controller ports can be used to establish redundancy in controller
connectivity. The two controller ports can thus be in the same subnet. For more information on configuring
virtual interfaces, refer to Configuring a Virtual Interface.

28
CLOUDGENIX | GETTING STARTED GUIDE

To configure a controller port:

a. Select the first Controller port.

b. For Admin Up, leave in the default Yes to enable the interface.

c. Add a Description. This step is optional.

d. For Configuration, select DHCP or Static.

i. If the IP address will be dynamically assigned, choose DHCP.

ii. If the IP address is fixed and will be specified manually, choose Static. If you choose Static,
specify the IP Address/Mask, Default Gateway, and DNS server(s).

e. Click Save Port.

f. Next, similar to configuring the first controller port, configure the second controller port as described
above.

Internet ports:

a. From internet ports, select a port pair.

b. For Admin Up, leave in the default Yes to enable the interface.

c. Add a Description. This step is optional.

d. For Interface Type, choose Port.

e. For Use these Ports For, select Internet.

f. For Scope, toggle Local or Global. The default is Local.

i. If the scope is local, the route will not be advertised to the data center.
ii. If the scope is global, the route will be advertised to the data center.

Note:
l This setting is applicable only to branch sites. It is not applicable to data center sites.
l Configuring a global static route will advertise the destination IP/prefix to other sites
automatically.

For more information, refer to Configuring Routing.

g. For Circuit Label, select the circuit label that corresponds to your internet connection for this site.

29
CLOUDGENIX | GETTING STARTED GUIDE

h. For Configuration, select DHCP or Static.

a. If the IP address will be dynamically assigned, choose DHCP.

b. If the IP address is fixed and will be specified manually, choose Static. If you choose Static,
specify the IP Address/Mask, Default Gateway, and DNS server(s).

i. Select Save Port. Proceed to configuring WAN/LAN ports.

WAN/LAN ports:

a. Select WAN/LAN as a port pair.

b. For Admin Up, leave in the default Yes to enable the interface.

c. Add a Description. This step is optional.

d. Interface Type will display the selected WAN/LAN bypass pair.

e. For Hardware Relay – Fail to Wire, select Yes to get fail-to-wire functionality.

f. For Use These Ports For, select Private WAN.

g. For Circuit Label, select the circuit label that corresponds to your private WAN connection for this
site.

h. For Attached Networks, enter the VLAN ID and IP address of the router. You may enter multiple
VLAN IDs and IP addresses.

Optionally:

i. Select Network Context if this is a subnet you would like to segment or one for which you
would like to define a separate policy. For example, guest Wi-Fi.

ii. Select Local or Global.

i. Select Local when defining an IP subnet that will not be advertised to any other site.
ii. Select Global when defining an IP subnet that will be advertised to every CloudGenix
site.

Note:
CloudGenix will not control traffic if a prefix/subnet is not defined on the ION device.

Select Save Bypass Pair.

6. Next, select Routing to configure routing for a branch. Static and dynamic routing is supported in a
branch on internet, private WAN underlays, and Third Party Virtual Private Network (VPN) tunnels.

For more information on routing, refer to Configuring Routing.

30
CLOUDGENIX | GETTING STARTED GUIDE

7. Next, select SNMP Config.

a. Configure SNMP Agent and Traps.

b. Select Agent, enable v2 to configure Community or v3 to configure Users.

c. Add Traps and click Save.

For more information on SNMP Agent or Traps, refer to Configuring an SNMP Server.

7. You are not required to configure SNMP, Syslog Export and NTP client at this time. For more
information on configuring SNMP, Syslog Export and NTP client, refer to Configuring an SNMP
Server, Configuring Syslog Server Support and Configuring NTP.

8. Click Save.

31
CLOUDGENIX | GETTING STARTED GUIDE

Deploying CloudGenix in the Control Mode

CloudGenix Control Mode enables a more proactive approach to administering, managing, and securing
the network. In this mode, you may apply network and security policy rules to your applications, enabling
intelligent, application-focused path selections within your network.

Through these policy rules, you can:

l Define the path, priority, and network context for each application.

l Control and secure the wide area network (WAN) with a zone-based firewall (ZBFW).

Deploying CloudGenix in the Control mode requires setting the branch site in the Control mode.
Optionally, you may configure the ION 7000 and set both, branch and data center sites, in the Control
mode.

l First, make sure that the branch site is currently in the Analytics mode, and that the branch ION
device is already communicating with the CloudGenix controller.

l Optionally, configure the ION 7000 and switch the branch and data center sites from the Analytics
mode to the Control mode. The ION 7000 guarantees path symmetry and enables VPN termination
over the internet and the private WAN.

To deploy in the Control mode, proceed to connecting, claiming, assigning, and configuring the ION 7000,
and activating the branch and data center sites.

32
CLOUDGENIX | GETTING STARTED GUIDE

Connecting the ION 7000 or ION 9000 at a Data

Center
Similar to the ION 3000, as soon as an ION 7000 or an ION 9000 is allocated to a site, it will display
automatically on the portal under Devices as Unclaimed and Offline.

The first step is to enable communication with the CloudGenix controller. To enable ION 7000, ION 9000,
ION 7000v, or ION 9000v communication with the controller, connect the controller port of the ION device
to a network that has access to the internet. By default, this port is DHCP-enabled. However, if static IP is
required, you may configure it by connecting to the device console port on the ION device.

After the port is connected and the ION 7000 or ION 9000 is powered on, the device will automatically
connect and register with the CloudGenix controller. When a secure connection with the controller is
established, the controller will authenticate the device, and the device state will change from Offline to
Online.

When this process is completed, the ION 7000 or ION 9000 will be available for claiming, assigning, and
configuration through the CloudGenix portal. Proceed to claiming the device, assigning it to a data center,
and configuring the ports on the device.

33
CLOUDGENIX | GETTING STARTED GUIDE

Claiming the ION 7000

A data center and the ION 7000 are not required for a simple deployment where you intend to simply
monitor the network and capture analytics in a branch, or actively control traffic between private WAN and
direct internet without VPNs. However, if you do have a data center, claim the ION 7000 at your data center
as follows:

1. From the portal, select MAP.

2. Select Unclaimed Devices. A list of unclaimed devices in your inventory will display.

3. Hover to the right of the device and under State, select the icon.

4. From the drop-down list, choose Claim the device, and select OK.

5. Repeat the above claim process for all additional devices in the data center.

34
CLOUDGENIX | GETTING STARTED GUIDE

Assigning the ION 7000

Before you can configure the ION 7000, you must assign it to a specific data center. This process associates
the device with the data center.

1. From MAP, select Claimed Devices.

2. Hover over the ION 7000 and under State, click the icon.

3. From the drop-down list, choose Assign to a site.

4. In the search box, type the name of the data center you wish to associate with this device.

5. Choose the data center and select Next.

6. Enter a name and description for the device, and select Next. The port configuration screen will
display.

7. While the device is in the process of being assigned in the background, begin configuring its ports.

35
CLOUDGENIX | GETTING STARTED GUIDE

Configuring the ION 7000

The ION 7000 provides eight 1GE ports and six 10GE SFP+ ports for flexible configuration. At least one port
must be configured to connect with the internet and one port to peer with a network.

To configure the ION 7000:

1. Select MAP > Claimed Devices and then select the device you wish to configure.

2. Click and select Configure the device. The device configuration screen will display.

From 1GE ports:

1. Select Port 1.

2. Leave Admin Up as the default Yes.

3. The Interface Type will display Port.

4. For Use This Port To, select Connect to Internet to enable public VPNs for a branch site.

5. For Circuit Label, select the circuit that connects to the internet. A circuit label is required.

6. For Configuration, select DHCP or Static.

a. If the IP address will be dynamically assigned, choose DHCP.

b. If the IP address is fixed and will be specified manually, choose Static. If you choose Static,
specify the IP Address/Mask, Default Gateway, and DNS server(s).

7. If the internet port IP will be a private IP behind a NAT firewall, you must fill out the External NAT
address and port field.

a. The External NAT address should be the public IP address NAT-translated to the ION’s IP on
this physical port.

b. The External NAT port should be the External NAT IP’s UDP port forwarded to UDP 4500 on
the ION’s IP on this physical port.

Note: Outside of this device configuration, if you have a firewall, you must allow protocol TCP 443 and
UDP 4500 in your firewall configuration.

8. Select Save Port.

9. Next, select a second port.

10. Leave Interface Status as is and Admin Up as default Yes.

36
CLOUDGENIX | GETTING STARTED GUIDE

11. Add a Description. This field is optional.

12. For Use This Port To, select Peer with a Network to inject routes toward the core router.

Note: You may pair any non-hardware ports together on the physical and virtual ION 7000. However,
ports 5/6 and ports 7/8 are hardware bypass port pairs, and therefore, must be configured as port
pairs. These port pairs may be set to fail, open or closed.

13. For Circuit Labels, select the circuit(s) to peer with the network.

14. For Configuration, select DHCP or Static.

a. If the IP address will be dynamically assigned, choose DHCP.

b. If the IP address is fixed and will be specified manually, choose Static. If you choose Static,
specify the IP Address/Mask, Default Gateway, and DNS server(s).

15. Select Save Port.

16. Select Routing, to configure routing for a data center. Depending on the deployment, WAN routing
behavior is different for a branch than a data center. A key difference in configuration involves the
setting of global or local scope for prefixes. As data center ION devices do not advertise data center
prefixes, this option is not required.

You may configure routing and peer with other networking devices in the domain using Border
Gateway Protocol (BGP), configuring BGP global attributes, BGP peers, and Route Maps to filter
inbound and outbound routes. For more information, refer to Configuring Routing.

a. For CloudGenix AS number, enter the <Customer AS #>.

b. For Listen Peer 1 (WAN EDGE), enter the Remote IP address and the Remote AS number.

c. For Advertise Peer 1 (CORE PEER), enter the Remote IP address and the Remote AS number.

d. When done with the above, select Save.

16. Next, select SNMP Config to configure SNMP agent and traps as needed.

a. Enable v2 to configure Community or v3 to configure Users. Although both may be enabled,

at least one must be enabled.
b. If v3 is enabled, you may add a user by selecting Add User.
c. Define user attributes, including a name, optional engine ID, the security level, and the
authentication type.

17. You are not required to configure SNMP, Syslog Export and NTP client at this time. For more
information on configuring SNMP, Syslog Export and NTP client, refer to Configuring SNMP,
Configuring Syslog Server Support and Configuring NTP.

18. Select Save.

37
CLOUDGENIX | GETTING STARTED GUIDE

Congratulations! The ION 7000/7000v is now configured.

ION 7000v Virtual Ports - Similar to configuring ports on a physical ION 7000, configure the ports on the
virtual ION device. The virtual device has one controller port and up to nine configurable ports to connect to
the internet or peer with a network.

38
CLOUDGENIX | GETTING STARTED GUIDE

Switching Sites to Control Mode

Switch sites to the Control mode to push network and security policies, prioritize applications, control
application paths, enable active-active WANs, and facilitate automatic zero-touch VPNs that connect all
SD-WAN branches.

39
CLOUDGENIX | GETTING STARTED GUIDE

Switching the Branch to Control Mode

Activate the branch before you activate the data center.

To switch a branch to control mode:

1. Select MAP > Sites. A list of sites will display.

2. Click the icon for a site and select Switch to Control Mode.

3. Select OK to confirm switching to the Control mode. Wait 3-5 minutes, and then view network and
application analytics. The system will now use all paths and populate all application charts.

Congratulations! The branch is now active.

40
CLOUDGENIX | GETTING STARTED GUIDE

Switching the Data Center to Control Mode

If your network includes a data center, activate it at this point so CloudGenix can enable VPNs between a
branch and a data center, and can provide secure paths to reach applications hosted in the data center.

To activate the data center:

1. From MAP, click , and then select Sites. A list of sites will display.

2. Click the icon for a site and select Switch to Control Mode.

Congratulations! The data center is now active.

As soon as the branch and the data center are activated, an automatic VPN will be established through
zero-touch configuration between the branch site and the data center over any configured internet paths
and over any private WAN paths providing both the branch and data center sites connect to the same
WAN network.

No administrator action will be required. The VPN path will be visible on the map view of your sites.

l Confirm that VPN paths come up so you may use them as available paths in your policies.

l Make sure to validate routing in the data center as follows. Confirm that:

o The BGP peering sessions are up between the ION 7000 and the WAN Edge/Core routers.

o The ION 7000 is advertising CloudGenix-enabled branch subnets to the Core routers.

o The ION 7000 is receiving routes from the WAN Edge routers.

Note:
VPN overlays between two branch sites can be enabled or disabled manually as needed.

Refer to the Application Note on Configuring a Secure Fabric Link Overlay for information on branch-to-
branch VPNs.

41
CLOUDGENIX | GETTING STARTED GUIDE

Monitoring Performance
The CloudGenix portal provides two different ways of monitoring the performance of your sites and paths.
You can view the monitoring summary of all your sites on the Dashboard.

With an active branch and an optional, active data center in place, you can begin viewing your network and
application performance and traffic analytics per site from Activity.

42
CLOUDGENIX | GETTING STARTED GUIDE

Dashboard
The interactive Monitoring Summary and Link Quality Details dashboards give you visibility into the
device connectivity status and link quality metrics of all your links in all sites.

The Monitoring Summary provides a summarized and graphical view of the data. The following
dashboard widgets present the analytical data in a visual and graphical format. Let us understand each
gadget and its monitoring capabilities in detail.

Note:
All data is refreshed at an interval of five (5) minutes.

43
CLOUDGENIX | GETTING STARTED GUIDE

Device to Controller Connectivity

The Device to Controller Connectivity widget depicts the number of Online and Offline devices
connected to the CloudGenix controller for a Branch and Data Center. This interactive graph allows you to
drill into the online and offline status of claimed devices in the Maps > Claimed Devices page for the
corresponding branch and data center.

44
CLOUDGENIX | GETTING STARTED GUIDE

Top Sites by Alarms

The Top Sites by Alarms widget enables you to group your top branch and data center sites with the
number of alarms generated for the corresponding site. You can click a branch or data center site to see all
the alarms generated under the Faults (Alarms) and Alerts.

45
CLOUDGENIX | GETTING STARTED GUIDE

Link Quality Metrics

The link quality metrics dashboard provides a snapshot of the current state of the links that you are
monitoring. You gain insight over the Link MOS (Mean Opinion Score), Link Packet Loss, Link Jitter,
and Link Latency from the dashboard. Links are displayed by default for all your sites and for the most
recent time range (Last Available 5 Minutes or Last Available Hour). The interactive dashboard
provides filters to change the scope of data displayed; it allows you to analyze information you want to view
in greater detail in the Link Quality Details tab.

Based on the link quality metrics chosen to view in greater detail, filter the data based on Interval, Start
Time, and Direction. The interactive dashboard allows you to change the metric to any other link quality
metrics to view the corresponding graphs. The last data distribution range of the bar graphs is to the 90th
percentile of the available data.

The Links table enables you to view all secure fabric links between two sites along with the Circuit and
WAN information. You can also view the link quality metrics and Link Type for each link. You can sort the
table information based on a particular link quality metric displaying the corresponding worst value on top.
Expand the site detail to view the link quality metrics for ingress and egress flows. It enables you to view
the link quality chart per site and path. The chosen site and path are the pre-selected filter criteria for the
Activity chart that displays the corresponding information.

46
CLOUDGENIX | GETTING STARTED GUIDE

47
CLOUDGENIX | GETTING STARTED GUIDE

Activity Charts
Network, Media, Link Quality, Flows, Routing, and System charts provide analytics at a network,
application, transaction, session, and system level as needed.

These charts contain historical data, with the option to download charts for your use.

48
CLOUDGENIX | GETTING STARTED GUIDE

Viewing Network Analytics

Network analytics include information on bandwidth utilization, transaction statistics, application health,
application response times, and new and concurrent flows. In addition to common analytics, CloudGenix
provides information on application initiation, transaction successes and failures, application reachability,
and application performance on available and allowed paths.

To view network analytics:

1. From the portal, select Activity.

2. From start time, select the 1 hour or 1 day filter to display its respective analytics.

3. Select a branch site, and then select all WANs.

The Network charts will display a breakdown of bandwidth utilization over select path types for a select
time-period. To see more granular information on a per-application level, select the icon next to Apps,
and select one or more applications by which to filter.

49
CLOUDGENIX | GETTING STARTED GUIDE

Viewing Real-Time Media Analytics

For real-time media applications, including encrypted Web real-time communication (RTC) applications,
CloudGenix identifies the individual voice and video sub-streams and specific compression decompression
(CODEC) used. Useful data include audio and video jitter, packet loss, bandwidth utilization, and audio
MOS score.

To view real-time media analytics:

1. From the portal, select Activity.

2. From Activity, select Media.

3. Select one site and one app to view media analytics for that application.

The Media charts will display.

50
CLOUDGENIX | GETTING STARTED GUIDE

Viewing Link Quality Metrics

Link Quality Metrics (LQM) is enabled for all private WAN and internet VPN paths between a branch and
a data center. LQM is a site-level configuration, and is enabled on all configured paths by default. It can be
de-selected at any time to disable this function.

LQM measures and reports information on link quality at regular intervals to the ION devices at a branch and
a data center. It provides information on:

l Link quality in both directions, branch to data center and data center to branch.

l Round Trip Time (RTT) latency, ingress and egress jitter, packet loss, and MOS scores.

To render LQM:

1. From the portal, select Activity.

2. From Activity, select Link Quality.

3. Next, select the following mandatory filters:

a. Single site
b. Single private WAN OR single internet VPN path.

The Link Quality charts will display.

51
CLOUDGENIX | GETTING STARTED GUIDE

Viewing the Flow Browser

The flows provides detailed information on flows per site and application. A flow constitutes source IP,
destination IP, port information, and application and protocol information. Through Advanced search, you
may filter flows by IP addresses, ports, and/or protocols.

To view application flow details:

1. From the portal, select Activity.

2. From Activity, select Flow.

3. Select a path or all WANs.

4. Select one site at a time to display flow details.

The Flow related records will display the last 1000 flows for the selected one-hour time-period. You may
filter it by the application, WAN path, or both.

52
CLOUDGENIX | GETTING STARTED GUIDE

Viewing Routing Stats

Routing Stats displays information on device peering and advertised routes. Peering will be seen if the data
center site is configured and activated, and the core and/or WAN edge routers are configured with BGP
peering.

To view routing stats:

1. From the portal, select Activity.

2. From Activity, select Routing.

3. Select a site of your choice.

The Routing charts will display.

You are now well on your way to monitoring and analyzing network and application performance and traffic.
This is just the beginning of granular visibility into your network and its applications.

53
CLOUDGENIX | GETTING STARTED GUIDE

Viewing System Metrics

The System Metrics provides detailed information on CPU Utilization, Free Memory, and Free Disk
space for both branch and data center ION devices.

To view System metrics for an ION device:

1. From the CloudGenix portal, select Activity > System.

2. From Quick Filters on the left pane, under Sites, select a site, and under Devices, select a device.
This can be an ION device from either a branch or data center.

3. The system information charts of the device is displayed, which include CPU Utilization, Free
Memory, and Free Disk space. Select a Time Frame from the menu bar. The 1H view provides
granular per-minute data, and the 1D picture shows data every 5 minutes.

54