Aruba Sdwan Lab
Aruba Sdwan Lab
Aruba Sdwan Lab
com
ECV-1 VM Setup
K1-MPLS VM Settings
K2-Internet VM Settings
TG-1011 VM Setup
TG-2011 VM Setup
TG-3511 VM Setup
• Generate Account name and Account Key for orchestrator and EdgeConnect Appliance, which
are used to register Orchestrator EdgeConnect Appliance with Cloud Portal using the same
account name and key
• When you first log in to the orchestrator, a configuration dialog box appears which must be filled in
according to the specified parameters, Select ProductEdgeConnect – Go to the License and
Registration menu, then enterAccount name and Account Keywhich was generated earlier.
• After enteringAccount name and Account Keyclick next, then fill in the parameters as
follows:
a. Enable SSL: Not selected
b. Enable Authentication: Selected
c. SMTP Server: 192.168.1.200 (optional)
d. SMTP Users:[email protected] (optional)
e. Email Sender:[email protected] (optional)
f. SMTP Password: Speak-123 (optional)
g. Server Ports: 25
h. Require Email Verification: Not selected
i. Send a Test Email to: [email protected] (optional)
j. Email Alarms to:[email protected] (optional)
• Clicknext, then fill in the next parameters as follows:
a. Protocol: FTP
b. Hostname: 192.168.1.200
c. Username: anonymous
d. Password: Speak-123
e. Directory: /GMS
f. Ports: 21
g. Max backups to retain: 3
• To configure the group, right click the appliance then enter the group name, here we fill in the group according to
the site name.
• After configuring the group, then configure the label, to create a new label, clicknew label
then fill in the parametersWANorLANby fillinglabel name and topology.
• Drag and drop the input template toavailable templatesfor the following parameters:
a. SNMP
b. Admin Distance
c. Routes
d. Shaper
• Drag and drop the input template toactive templatesfor the following parameters:
a. DNS
b. Date/Time
c. User Management
d. Management Services
e. Session Management
• In active template configData/Time, input timezone information, NTP Server etc
• Without a deployment profile it might take a lot of time when you first start discovering
EdgeConnect, because we have to create interface configuration parameters from the start
• Datacenter – HA
LAB 4
Added EdgeConnect to Orchestrator
• Before adding EdgeConnect to the orchestrator, the first thing we have to do is map
the MAC address settings of each connected interface to wan0, wan1, lan etc.
• The following are the MAC address interface settings for each EdgeConnect.
• After entering the appropriate MAC address of each interface, thenEnter Account Name
and Account Key, then clickSave, then ECV will automatically reboot
• Do the same with ECV-3 to ECV-5
• Make sure that after rebooting, the VM status is normal and all ECVs can be accessed again
• Next, we do Approve for each ECV, then we have to enter several parameters. For other
ECVs, the method is the same, only the IP address and label parameters may be
different at each site.
Select the deployment profile according to the topology we have, and fill in the IP address, label, etc. information.
8
• Continue approving ECV-3, do the same with ECV-2
ECV-3
ECV-5
• Then select EdgeConnect HA, and select itHA Peernamely ECV-3 and appropriate interfacesHA
linkin the unused ECV-3.
• Then clickCacl link,so that the total inbound and outbound will be updated, then clicksave
• Change the site name for ECV-2 and ECV-3, To prevent unnecessary tunnels from being created
between two devices in EdgeConnect HA, you must create the same site name for each
appliance. This prevents Orchestrator from building an underlay tunnel between them. To
change the site name, each is configured in ECV2 and ECV3.
• VRRP is configured when the HA and site name configuration has been done.
• Click the Mumbai group, so ECV-2 and ECV-3 are automaticblocked.
• ChooseConfiguration – Networking – VRRP
• On ECV-2 clickedit, fill in the parameters likegroup id, virtual-ipAndpriorities. In the VRRP
configuration, we make ECV-2 the Master by changing the priority to 254.
• Check the status of ECV-2 and ECV-3, there you will see the status of the HA interface and VLANs 100,101
and 102 will automatically be formed on ECV-2 and ECV-3 which will automatically be formed on the HA
interface (wan1.100, wan1.101 etc.) , the IP address will also be automatically configured with the subnet
169.254.1.x/30
• Both the ECV-2 and ECV-3 show interfaces labeled MPLS, LTE and Internet, one making
use of physical wan0 and wan1 connections, and the other using HA connections
(wan2.102, wan1.101, and wan1.100)
• Because previously we configured VRRP on ECV-2 and ECV-3 towards the LAN, namely to TG-2011, we have
to change the TG-2011 gateway to VRRP IP, namely 10.110.20.100.
• We test ping toTG-1011AndTG-3511the results are ok, while we trace traffic via ECV-2
• Test failover by disabling the lan port on ECV-2, we can check the results when the lan interface on ECV-2 is
disabled, traffic passes via 10.110.20.102, namely ECV-3
• Site 3 - Santa Clara is a data center with ECV-4 and ECV-5 for traditional HA architecture.
Both applications have MPLS and WAN internet links. In this lab, we configure VRRP and
other settings that enable Traditional HA.
• We configuresite namefor ECV-4 and ECV—5 to be insite namethe same one
• As before, we make the ECV-5 metric 60 so that the preferred route from the LAN will go through
the VRRP Master, namely ECV-4.
• Change the default gateway on the TG-3511 to 10.110.35.100, namely the IP of the VRRP IP
• Verify ping and traceroute to TG-1011 and TG-2011 results are ok and traffic via ECV-4
• ClickAppliance tree, then searchSchedule & Run Reports.Then create a new report by clicking
New Report
• Enter the menuPreconfigure Appliance – Click New – Fill in the Name – Checklist Auto Approve – Fill in the
Tag – Paste the YAML config – Click Validate – Click Save
• Double Click the batch fileASD Setupand wait until the process is complete
UTRA 42
• Once finished, check the progress in Preconfigure Appliance and clickRefresh.It takes 10-15
minutes for preconfiguration to complete.
• Verify that the orchestrator can communicate with the cloud portal and is registered
• The loopback interface in the orchestrator is the same as other loopback interfaces that
use /32 or others. Enter menuConfiguration – Networking – Loopback Orchestrator
Note : By default, subnet 10.0.0.0/24 is added to be allocated by Orchestrator for the loopback interface. So we have to
change it manually
Note: Orchestrator automatically creates loopback interfaces on all appliances with /32, the results may or may not be sequential.
And lo20000 is automatically created by the orchestrator on each appliance along with the loopback IP address. Cannot edit loopback ip address
• Test the connection between the loopback interfaces, here is an example of a ping from ECV-1 to ECV-5
• When we have several types of traffic used towards the internet, and we don't want to
backhaul all the traffic to the site-3 data center, because this can increase latency and
use unnecessary bandwidth on our WAN link back to the data center.
• The solution is to configure a local internet breakout for service via a passthrough tunnel using
an interface that connects to the internet.
• Some traffic that matches DefaultOverlay will be backhauled to Site-3, where it can be
checked by the firewall if necessary.
• For example, LAB uses a UBU-1 host with network 10.110.xx which is isolated and not
connected to the internet
• The purpose of this lab is to configure Business Intent Overlay to break up traffic that does not match
the internet subnet on our network.
• Before configuring, we test the loopback connection between sites and see the traffic flow
Noted: internet subnet where the subnets listed in the table above are included in the internal subnet that will be sent via
overlay tunnel, while subnets that are not yet listed in the table will go to the external subnet and be considered external traffic
Internet
• From the table list above, the prefix 11.1.1.0 is not included in the list, but why is it not sent from one
of the WAN interfaces as a local internet breakout?
• Now we go intoBusiness Intent Overlay
EnterConfiguration – Overlay&Security – Business Intent Overlay
SAPUTRA 48
• If we look at the DefaultOverlay breakout overlay configuration, the preferred policy order column
only contains Backhaup via Overlay, while Internet Breakout (Break Out Locally) is not entered in
the column, it is still in the available column.
• So traffic to 11.1.1.11 drops because of this, if the backhaul fail policy will drop
• In this lab we will perform direct internet breakout from branches for traffic that matches the
RealTimes, CriticalApps and BulkApps overlays
• However, for DefaultOverlay we want to backhaul traffic from Site-1 and Site-2 by
going to the internet to our data center (which has a firewall on the internet
connection). If the connection to the data center is lost we want to allow Site-1 and
Site-2 to Breakout Locally uses their own local internet connection for
DefaultOverlay traffic
• Configure RealTimes Overlay, Critical Apps and BulkApps as follows:
• Enter the tableBusiness Intent Overlay
• ClickBackhaul Policyin columnBreakout Traffic to Internet & Cloud Services
• DragBrakout Locallyto the columnPreferred Policy Order, put it at the top
• Drag interfaceINET1toPrimary Column
• Do the same steps for the CriticalApps and BulkApps Overlays
Noted : Flow will go through the passthrough tunnel associated with the previous Overlay DefaultOverlay to the next-hop router WAN1 10.110.104.1.
And what needs to be understood in this case is that no route to the destination is required, because the next-hop router knows how
how to reach the source subnet
• When we check the route table on ECV-1 there is no prefix 11.1.1.11 or even a default route for
communication with that subnet.
• We have tried the internet traffic lab that matches DefaultOverlay. When the ping echo request from
TG-1011 to UBU-1 is backhauled before being broken down by the device at Site-3
• Now we will try something else, namely we make sure that traffic that matches with different
overlays is split by the local machine rather than being backhauled first, by doing an FTP from the
TG-1011
• We can see that FTP traffic does not pass through ECV-4 or ECV-5 because the BulkApps Policy is
set to Breakout Locally in the first set and backhaul in the second set, and the overlay and tunnel
used are BulkApps not DefaultOverlay
• The appliance will advertise the learned subnet through subnet sharing between appliances to the ARUBA
AOS-CX switch and become the preferred path to optimize traffic.
• If the appliance is down, then routes will not be advertised to the ARUBA AOS-CX switches
and they will use their route tables to forward traffic accordingly.
• We will configure OSPF on ECV-2 and ECV-3
Click Site Mumbai (ECV-2 and ECV-3) blocked – Configuration – Networking – Routing – OSPF
Note: EdgeConnect currently only supports one area, and we can see that the OSPF connection between ECV and AOS-CX neighbor status is Full
• Check the route on ECV-2 and ECV-3 to ensure that it receives route 10.110.20.0 from AOS-CX, if we
see cost 101, it is because the default link cost from the appliance is 1 while from AOS-CX it is 100
Note: Default route 0.0.0.0/0 is received from ECV-2 and ECV-3, and receives prefix 10.110.10.0/24 from Site-1 Singapore, which is Site-1
not OSPF configuration. Prefix received from Subnet Sharing, subnet shares are redistributed to OSPF by default
• The appliance will advertise the subnet learned from subnet sharing between appliances to the router and
become the preferred path for traffic originating from the TG-3511 and TG-11411
• If the appliance is down, routes will not be advertised to the AOS-CX-3
• ECV-4 and ECV-5 use iBGP peering with AOS-CX-3
• Currently there are no appliances that have a route to the 10.110.35.0/24 subnet, only the AOS-
CX-3 has a route to 10.110.35.0/24
• We will configure BGP Peering on ECV-4 and ECV-5
Click Site Santa Clara (ECV-4 and ECV-5) blocked – Configuration – Networking – Routing – BGP
Note: Pings from ECV-5 to TG-3511 can now go directly via LAN0
• Route Maps controls the redistribution of routes between different routing protocols, in
EdgeConnect it means Subnet sharing (SD-WAN Fabric), BGP and OSPF
• Inbound Route Map controls what can potentially be distributed into SD-WAN and become
subnet sharing between EdgeConnect
• Outbound Route Map which controls what is being redistributed by EdgeConnect, for example
ECV-2 to other routing protocols such as OSPF or BGP by EdgeConnect
• Route maps that control distribution to other protocols can be found on the configuration page for
each protocol, both OSPF and BGP
• BGP is slightly different from OSPF because it contains inbound and outbound route maps per peer
• Metric configuration of subnet sharing into BGP, so that AOS-CX-3 is preferred over
ECV-5, by default BGP will allow all sources into BGP without any changes
• If we look at the routing table on AOS-CX-3, there is no route from TG-2011, namely 10.110.20.0/24.
In the ECV-4 and ECV-5 routing tables there is also no prefix 10.110.20.0/24, whereas when we check
the BGP route map it already allows OSPF.
Note: Because it has the same cost, traffic towards TG-14111 is load balanced and will exit randomly via the ECV-4 tunnel
and ECV-5 tunnels
Note: If we look at ECV-1 it has routes from all ECVs for the prefix 10.110.114.0/24, but ECV-1 only forwards traffic to ECV-4 and
ECV-5, this is because even though ECV-1 has all metrics of 50, the AD for the original subnet sharing is 10 which is better than
The AD of OSPF is 15
• From the route results at Site-3, it can be concluded that the prefixes learned for subnets at
Site-3 are only learned from devices that are directly connected to that subnet.
- 10.110.107.0 learned via subnet sharing of ECV02 and ECV-3
- 10.110.20.35.0 learned via BGP from AOS-CX-3
- 10.110.20.0 learned via subnet sharing of ECV-2 and ECV-3
- Since ECV-2 and ECV-3 allow distributing to SD-WAN fabric, the prefix of AOS-CX-2 will
not be marked with tag 999
- 10.110.10.0 learned via subnet sharing from ECV-1
- AOS-CX-2 applies metric 100 on Gigabit interfaces for OSPF, and ECV uses metric 1 for
Gigabit interfaces