Manage Gateway Pools and Gateways

Arista network consists of multiple service Gateways deployed at top tier network and cloud data centers. The Gateway provides the advantage of cloud-delivered services and optimized paths to all applications, branches, and data centers. Service providers can also deploy their own Partner Gateways in their private cloud infrastructure.

Manage Gateway Pools

A Gateway Pool is a group of Gateways.

Gateways can be organized into pools that are then assigned to a network. An unpopulated default Gateway pool is available after you install Orchestrator. If required, you can create additional Gateway pools.

As an Operator Super user and Operator Admin user, you can create, clone, manage, download, and delete Gateway pools created by both Operator and Partner users.

Note: Operator Business Specialist user and Operator IT support user can only view the configured Gateway pools and download the CSV file.

To manage Gateway pools, perform the following steps:

Log into the Orchestrator as an Operator Super user or Admin user.
In the Orchestrator UI, select the Gateway Management tab and go to Gateway Pools in the left navigation pane.

The Gateway Pools page appears.

Figure 1. Manage Gateway Pools
To search a specific Gateway pool, enter a relevant search text in the Search box. For advanced search, select the Filter icon next to the Search box to filter the results by specific criteria.

The Map Distribution section is used for displaying the Gateways on a map. You can select the + and - buttons to zoom in and zoom out the map, respectively. In the Gateway Pools table, if you have selected any Gateway pools then only the Gateways in the selected pools are displayed on the map. Otherwise, all Gateways are displayed on the map.

The Gateway Pools table displays the existing Gateway pools with the following details.

Table 1. Gateway Pools Field Descriptions
Field	Description
Name	Specifies the name of the Gateway pool. When selecting a Gateway pool link in the Name column, the user gets redirected to the Gateway Pools Overview page.
Gateways	Specifies the number of Gateways available in the Gateway pool. When selecting a Gateway link in the Gateways column, the user gets redirected to the Gateway Overview page.
IP Version	Specifies whether the Gateway pool is enabled with IPv4 address or both the IPv4 and IPv6 addresses. Note: When assigning Gateways to the Gateway pool, ensure that the IP address type of the Gateway matches the IP address type of pool.
Customers	Specifies the number of Enterprise Customers associated with the Gateway pool. When selecting a Customer link in the Customers column, a dialog opens with listed customers. If a user selectsa customer then the user gets redirected to the Configure Customers page.
Partner Gateway	Specifies the status of the Partner Gateway. The following are the available options: None- Use this option when Enterprises assigned to this Gateway pool do not require Gateway Partner handoffs. Allow- Use this option when the Gateway pool must support both Partner Gateways and Cloud Gateways. Only (Partner Gateways)- Use this option when Edges in the Enterprise should not be assigned Cloud Gateways from the Gateway pool, but can use only the Gateway-1 and Gateway-2 that are set for the individual Edge.
Managed Pool	Specifies if a Partner can manage the Gateway pool.

On the Gateway Pools page, you can perform the following activities:New Gateway Pool – Creates a new Gateway pool. See Create New Gateway Pool.

Clone – Creates a new Gateway pool, by cloning the existing configurations from the selected Gateway pool. See Clone a Gateway Pool.
Download- Downloads the CSV file for all Gateway pools or the selected Gateway pool.
Delete – Deletes the selected Gateway pool. You cannot delete a Gateway pool that is already being used by a Partner or an Enterprise Customer.
You can also configure the existing Gateway pools by selecting the name link of the Gateway pool. See Configure Gateway Pools.

Create New Gateway Pool

In addition to the default Gateway pool, you can create new Gateway pools and associate them with Enterprise Customers.

In the Orchestrator UI, select the Gateway Management tab and go to Gateway Pools in the left navigation pane. The Gateway Pools page appears.
Select New Gateway Pool.

In the New Gateway Pool dialog, configure the following details and select Create.

Table 2. New Gateway Pool Field Descriptions
Field	Description
Name	Enter a name for the new Gateway pool.
Description	Enter a description for the Gateway pool.
Partner Gateway Hand Off	This option determines the method to hand off the Gateways to Partners. Choose one of the following options from the drop-down list: None – Select this option when Partner Gateway hand off is not required. Allow – Select this option when you want the Gateway pool to support a mix of both the Partner Gateways and Cloud Gateways. Only Partner Gateways – Select this option when Edges in the Enterprise should not be assigned with Cloud Gateways from the pool, and will only be assigned with the Gateways that are set for an individual Edge.
IP Version	Choose one of the following address types with which the Gateway pool should be enabled: IPv4 – Allows to add IPv4 only Gateways. IPv4 and IPv6 – Allows to add Gateways with IPv4 and IPv6 addresses. Note: If you want to use Edges with IPv6 support, then choose IPv4 and IPv6.

Configure the Gateway pool by adding Gateways to the pool. See Configure Gateway Pools.

Clone a Gateway Pool

You can clone the configurations from an existing Gateway pool and create a new Gateway pool with the cloned settings.

In the Orchestrator UI, select the Gateway Management tab and go to Gateway Pools in the left navigation pane. The Gateway Pools page appears.
In the Gateway Pools table, select the Gateway pool that you want to clone and select Clone. The New Gateway Pool dialog with the cloned settings appears.

Figure 3. Clone a Gateway Pool
The Gateway pool clones the existing configuration from the selected Gateway pool. If required, you can modify the details. For additional information on the options, see Create New Gateway Pool.
After updating the Gateway pool details, select Create.

Configure the Gateway pool by adding Gateways to the pool. See Configure Gateway Pools.

Configure Gateway Pools

After creating a Gateway pool, you can add Gateways to the pool and associate the pool to an Enterprise Customer.

Whenever you create a new Gateway pool or clone a pool, you are redirected to the Gateway Pool Overview page to configure the properties of the pool.

To configure an existing Gateway pool:

In the Orchestrator UI, select the Gateway Management tab and go to Gateway Pools in the left navigation pane. The Gateway Pools page appears.
Select the name link to a Gateway pool that you want to configure.
Configure the following details for the Gateway pool:
Figure 4. Configure Gateway Pools
1. In the Properties section, the existing Name, Description, Partner Gateway Hand Off details, and the Association Type are displayed. If required, you can modify these details.
2. In the Gateways in Pool section, select Manage to add Gateways to the pool. The Assign Gateways to Gateway pool dialog appears.
3. In the Assign Gateways to Gateway pool dialog, move the required Gateways from the Available pane to Assigned pane using the arrows and select Update.
Figure 5. Assign Gateways to Gateway pool
The Gateways assigned to the selected Gateway pool are displayed as follows.

Figure 6. Gateways in Pool
Select Save Changes.
The configured Gateway pools are displayed on the Gateway Pools page.

You can associate the Gateway pool to a Partner or an Enterprise Customer. The Edges available in the Enterprise are connected to the Gateways available in the pool.

Refer to the following links to associate the Gateway pool:

For a new customer, see Create New Customer.
For an existing customer, see Configure Customers.
For a new Partner, see Create New Partner.
For an existing Partner, see Configure Partner.

Manage Gateways

VeloCloud Gateways are a distributed network of gateways, deployed around the world or on-premises at service providers, provide scalability, redundancy and on-demand flexibility. The Gateways optimize data paths to all applications, branches, and data centers along with the ability to deliver network services to and from the cloud.

By default, the Gateways named as gateway-1 and gateway-2 are available when you install Orchestrator. If required, you can create additional Gateways.

As an Operator Super user and Operator Admin user, you can create, manage, and delete Gateways created by both Operator and Partner users.

Note: The Operator IT support user and Operator Business Specialist user can only view the configured Gateways.

To manage Gateways, perform the following steps:

Log into the Orchestrator as an Operator Super user or Admin user.

In the Orchestrator UI, select the Gateway Management tab and go to Gateways in the left navigation pane.

The Gateways page appears.

To search a specific Gateway, enter a relevant search text in the Search box. For advanced search, select the filter icon next to the Search box to filter the results by specific criteria.

The Map Distribution section is used for displaying the Gateways on a map. You can select the + and - buttons to zoom in and zoom out the map, respectively.

The Gateways table displays the existing Gateways with the following details.

Table 3. Gateways Field Descriptions
Field	Description
Name	Name of the Gateway
Status	Reflects the success or failure of periodic heartbeats sent by mgd to the Orchestrator and does not indicate the status of the data and control plane. The following are the possible statuses: Connected – Gateway is heart beating successfully to the Orchestrator. Degraded – Orchestrator has not heard from the Gateway for at least one minute. Offline – Orchestrator has not heard from the Gateway for at least two minutes.
CPU	Average CPU utilization of all the cores in the system at the time of the last heartbeat.
Memory	Percentage usage of the physical memory by all processes in the system as reported by `psutil.phymem_usage` at the time of the last heartbeat. This is similar to estimating the percentage of memory usage using the free command.
Edges	Number of Edges connected to the Gateway at the time of the last heartbeat. Note: Select View next to the number of Edges, to view all the Edges assigned to the Gateway as well as their online/offline status on the Orchestrator. This option does not display the Edges that are actually connected to the Gateway.
Service State	The user-configured service state of the Gateway and whether it is eligible to be assigned to new Edges.
IP Address	The public IP address that public WAN links of an Edge use to connect to the Gateway. This IP address is used to uniquely identify the Gateway. If the Gateway is enabled to accommodate both IPv4 and IPv6 addresses, this column displays both the IP addresses.
Location	Location of the Gateway from GeoIP (by default) or as manually entered by the user. This is used for geographic assignment of the Gateway to Edges and should be verified.

On the Gateways page, you can perform the following activities:
- New Gateway – Creates a new Gateway. See Create New Gateway.
- Delete Gateway – Deletes the selected Gateway. You cannot delete a Gateway that is already being used by a Partner or an Enterprise Customer.
- Stage to Bastion - Stages a Gateway to the Bastion Orchestrator.
- Unstage from Bastion - Removes a Gateway from the Production Orchestrator.
  Note: Stage to Bastion and Unstage from Bastion options are available only when the Bastion Orchestrator feature is enabled using the session.options.enableBastionOrchestrator system property.
  For additional information, see Bastion Orchestrator Configuration Guide.
- Support Request – Redirects to a Knowledge Base article that has instructions on how to file a support request.

Create New Gateway

In addition to the default Gateways, you can create Gateways and associate them with Enterprise Customers.

To create a Gateway, perform the following steps.

In the Orchestrator UI, select the Gateway Management tab and go to Gateways in the left navigation pane. The Gateways page appears.
Select New Gateway. The New Gateway dialog appears.

In the New Gateway dialog, configure the following details:

Table 4. New Gateway Field Descriptions
Field	Description
Name	Enter a name for the new Gateway.
IPv4 Address	Enter the IPv4 address of the Gateway.
IPv6 Address	Enter the IPv6 address of the Gateway.
Service State	Select the service state of the Gateway from the drop-down list. The following options are available: In Service- The Gateway is connected and available. Out of Service- The Gateway is not connected. Quiesced- The Gateway service is quiesced or paused. Select this state for backup or maintenance purposes. Note: The Quiesced and Out of Service states are only applicable for Cloud Gateway deployment.
Gateway Pool	Select the Gateway Pool from the drop-down list, to which the Gateway would be assigned.
Authentication Mode	Select the authentication mode of the Gateway from the following available options: Certificate Not Required- Gateway uses a pre-shared key mode of authentication. Certificate Acquire- This option is selected by default and instructs the Gateway to acquire a certificate from the certificate authority of the Orchestrator, by generating a key pair and sending a certificate signing request to the Orchestrator. Once acquired, the Gateway uses the certificate for authentication to the Orchestrator and for establishment of VCMP tunnels. Note: After acquiring the certificate, the option can be updated to Certificate Required. Note: With the Bastion Orchestrator feature enabled, the Gateways that are to be staged to Public Orchestrator should have the Authentication mode set to either Certificate Acquire or Certificate Required. Certificate Required- Gateway uses the PKI certificate. Operators can change the certificate renewal time window for Gateways using the system properties.
Contact Name	Enter the name of the Site Contact.
Contact Email	Enter the Email ID of the Site Contact.

Note:

Once you have created a Gateway, you cannot modify the IP addresses.
Release 4.3.x and 4.4.x support Greenfield deployment of Gateways for IPv6. If you have upgraded a Gateway from a previous version earlier than 4.3.0, you cannot configure the upgraded Gateway with the IPv6 address.
Release 4.5.0 supports both the Greenfield and Brownfield deployment of Gateways for IPv6. If you have upgraded a Gateway from a previous version earlier than 4.5.0, you can dynamically configure IPv6 address for the Gateway.
IPv4/IPv6 dual-stack mode is not supported for Bastion Orchestrator configuration.

Once you create a new Gateway, you are redirected to the Configure Gateways page, where you can configure additional settings for the newly created Gateway.

To configure additional settings for the Gateway, see Configure Gateways.

Configure Gateways

When you create a new Gateway, you are automatically redirected to the Configure Gateways page, where you can configure the properties and other additional settings for the Gateway.

To configure an existing Gateway:

In the Operator portal of the Orchestrator, select the Gateway Management tab and go to Gateways in the left navigation pane. The Gateways page displays the list of available Gateways.
Select the link to a Gateway that needs to be configured for additional settings. The details of the selected Gateway are displayed in the Configure > Gateways page.

In the Overview tab, you can configure the following details:

Figure 9. Configure Gateways Overview Screen

Table 5. Configure Gateways Field Descriptions
Option	Description
Properties	Displays the existing Name and Description of the selected Gateway. If required, you can modify the information. You can also configure the Gateway Roles, as required: Data Plane- Enables the Gateway to operate in the Data plane and is selected by default. Control Plane- Enables the Gateway to operate in the Control plane and is selected by default. Secure VPN Gateway- Select the option to use the Gateway to establish an IPsec tunnel to a Non SD-WAN Destination. Partner Gateway- Select the check box to allow the Gateway to be assigned as a Partner Gateway for Edges. If you select this option, configure the additional settings in the Partner Gateway (Advanced Handoff) Details section. CDE- Enables the Gateway to operate in Cardholder Data Environment (CDE) mode. Select this option to assign the Gateway for customers who require to transmit PCI traffic. Cloud-to-Cloud Interconnect- Select the option to enable cloud-to-cloud-interconnect (CCI) tunnels on the VeloCloud Gateways. Note: This Gateway Role option is shown if the`session.options.enableZscalerCci` system property is set to True. Symantec Web Security Service: Enables the Gateway's Symantec Web Security Service capability. The Orchestrator assigns this Gateway to the Edge as WSS Primary Gateway or WSS Secondary Gateway. Note: This assignment works only when the Gateway Pool's Partner Gateway Handoff is not set to Only.
Status	You can configure the following details: Status- Displays the status of the Gateway which reflects the success or failure of periodic heartbeats sent to the Orchestrator. The following are the available statuses: Connected- Gateway is heart beating successfully to the Orchestrator. Degraded- Orchestrator has not heard from the Gateway for at least one minute. Offline- Orchestrator has not heard from the Gateway for at least two minutes. Service State- Select the Service State of the Gateway from the following available options: In Service- The Gateway is connected, and it is available for Primary or secondary tunnel assignments. When the Service state of the Gateway is switched from the 'Out Of Service' to 'In Service' state, the Primary or Secondary assignments, Super Gateways, Edge-to-Edge routes are recalculated for each Enterprise using the Gateway. Pending Service- The Gateway is connected, and it is pending for tunnel assignments. Out of Service- The Gateway is not connected or not available for any assignments. All the existing assignments are removed. Quiesced- The Gateway service is quiesced or paused. No new tunnels or NSD sites can be added to the Gateway. However, the existing assignments would still remain in the Gateway. Select this state for backup or maintenance purposes. Note: The Quiesced and Out of Service states are only applicable for Cloud Gateway deployment. When the Service state is Quiesced, Orchestrator provides a self-service migration functionality that allows you to migrate from your existing Gateway to a new Gateway without your Operator’s support. For additional information, see Quiesce Gateways. Note: Self-service migration is not supported on Partner Gateways.
Connected Edges	Displays the number of Edges connected to the Gateway. This option is displayed only when the Gateway is activated.
Gateway Authentication Mode	Select the authentication mode of the Gateway from the drop-down menu: Certificate Deactivated- Gateway uses a pre-shared key mode of authentication. If you change the mode from Certificate Deactivated to: Certificate Acquire: Tunnels based on PSK mode are not impacted. Only tunnels with Gateways are impacted. These tunnels are reconnected based on certificate. All tunnels configured with PSK mode continue to stay active and no disruption is seen in the traffic. Certificate Required: The Orchestrator does not directly allow this change. You must first change the mode to Certificate Acquire, and then change it to Certificate Required. This helps avoiding heartbeat loss to the Orchestrator, when Edge is assigned a certificate. Certificate Acquire- This option is selected by default and instructs the Gateway to acquire a certificate from the certificate authority of the Orchestrator, by generating a key pair and sending a certificate signing request to the Orchestrator. Once acquired, the Gateway uses the certificate for authentication to the Orchestrator and for establishment of VCMP tunnels. If you change the mode from Certificate Acquire to: Certificate Deactivated: PSK based tunnels are not impacted. Tunnels with Gateways and all certificate-based tunnels are disconnected and reconnected based on PSK. Certificate Required: All peers configured with PSK mode are disconnected and cannot connect to the Hub. All current RSA tunnels stay active. When the Hub is in Certificate Acquire mode, the tunnels based on the certificate are reestablished with new certificate. PSK based tunnels are not impacted. Note: After acquiring the certificate, the option can be updated to Certificate Required. Certificate Required- Gateway uses the PKI certificate. Operators can change the certificate renewal time window for Gateways using the system property `gateway.certificate.renewal.window`. If you change the mode from Certificate Required to: Certificate Deactivated: All peers with RSA tunnel are disconnected and cannot reconnect. All peers configured with PSK mode continue to stay active and no disruption is seen in the traffic. Certificate Acquire: All peers configured in PSK mode reconnect with Hub/Gateway. All current RSA tunnels stay active. Note: When Gateway certificate is revoked, the Gateway does not receive certificate revocation list (CRL) as it loses TLS connection immediately. Anyway, the Gateway is still operable. The current QuickSec design checks CRL time validity. The CRL time validity must match with current time of Edges for the CRL to have impact on new established connection. To implement this, ensure to update Orchestrator time properly to match with date and time of Edges.
IP Address	Displays the public IP address that public WAN links of an Edge use to connect to the Gateway. This IP address is used to uniquely identify the Gateway. If you have configured the Gateway with both IPv4 and IPv6 addresses, this field displays both the IP addresses. If you have created IPv4 only Gateway or if there is an existing IPv4 Gateway upgraded from previous versions, you can enter the IPv6 address to support the dual stack. After you save the changes, the IPv6 address is not sent to the Edges immediately. You can trigger the rebalance operation to push the IPv6 address to the customer and the associated Edges manually or the IPv6 address is sent to the Edges during the next Control Plane update. Note: Adding IPv6 address is a one-time activity and once you save the changes, you cannot modify the IP addresses. CAUTION: An incorrectly configured IPv6 address, when pushed to Edges, might lead to failure of the IPv6 tunnelling to the IPv6 Gateway. In such cases, you need to deactivate the Gateway and create a new one to activate both the IPv4 and IPv6 addresses.
Contact & Location	Displays the existing contact details. If required, you can modify the information.
NSD IP Portability	Beginning with the 6.0 Orchestrator release, selecting this option will activate NSD IP Portability for the Gateway. Portable NSD IPs allow an Operators to move NSD configurations to different Gateways in the POP without requiring the customer to reconfigure their tunnels. When the NSD Portability check box is selected, the Orchestrator fetches the following data such as SASE PoP name, NSD Virtual IPv4 Address, and NSD Virtual IPv6 Prefix currently assigned to the Gateway from the Global Services Manager (GSM) and displays it. Select Refresh POP to retrieve the current and updated data. Note: For the "NSD Portability" feature to work as designed, the Operators must ensure that the Gateways are associated with the corresponding PoPs in GSM. Figure 10. Activate NSD IP Portability Important: There are two important caveats with NSD IP Portability: NSD peers must operate as an IKE responder. In the past, some configurations would permit an initiator-only setup, but that will no longer function. Peers must allow NAT-T (NAT Traversal). The current implementation of NSD Portable IP uses NAT which is internal to the POP.
Syslog Settings	Beginning with the 4.5 release, Gateways can export NAT information via a remote syslog server or via telegraf to the desired destination.
Customer Usage	Displays the usage details of different types of Gateways assigned to the customers.
Pool Membership	Displays the details of the Gateway pools to which the current Gateway is assigned.
Partner Gateway (Advanced Handoff) Details	This section is available only if you select the Partner Gateway check box. You can configure advanced handoff settings for the Partner Gateway. For additional information, see the Partner Gateway (Advanced Handoff) Details section below.

After configuring the required details, select Save Changes.

Partner Gateway (Advanced Handoff) Details

You can configure the following advanced handoff settings for the Partner Gateway:

CAUTION: It is recommended not to push IPv6 configurations to Partner Gateways that are running with Software version earlier than 5.0.

Table 6. Partner Gateway Handoff Field Descriptions
Option	Description
Static Routes \| Subnets – Specify the subnets or routes that the Gateway should advertise to the Edge. This is global per Gateway and applies to ALL customers. With BGP, this section is used only if there is a shared subnet that all customers need to access and if NAT handoff is required. Remove the unused subnets from the Static Route list if you do not have any subnets that you need to advertise to the Edge and have the handoff of type NAT. You can select the IPv4 or IPv6 tab to configure the corresponding address type for the Subnets.
Subnets	Enter the IPv4 or IPv6 address of the Static Route Subnet that the Gateway should advertise to the Edge.
Cost	Enter the cost to apply weightage on the routes. The range is from 0 to 255.
Encrypt	Select the check box to encrypt the traffic between Edge and Gateway.
Hand off	Select the handoff type as VLAN or NAT.
Description	Optionally, enter a descriptive text for the static route.
ICMP Probes and Ping Responders Settings
ICMP Failover Probe – The Gateway uses ICMP probe to check for the reachability of a particular IP address and notifies the Edge to failover to the secondary Gateway if the IP address is not reachable. This option supports only IPv4 addresses.
VLAN Tagging	Select the VLAN tag from the drop-down list to apply to the ICMP probe packets. The following are the available options: None – Untagged 802.1q – Single VLAN tag 802.1ad / QinQ(0x8100) / QinQ(0x9100) – Dual VLAN tag
Destination IP address	Enter the IP address to be pinged.
Frequency	Enter the time interval, in seconds, to send the ping request. The range is from 1 to 60 seconds.
Threshold	Enter the number of times the ping replies can be missed to mark the routes as unreachable. The range is from 1 to 10.
ICMP Responder- Allows the Gateway to respond to the ICMP probe from the next hop router when the tunnels are up. This option supports only IPv4 addresses.
IP address	Enter the virtual IP address that will respond to the ping requests.
Mode	Select one of the following modes from the drop-down list: Conditional – Gateway responds to the ICMP request only when the service is up and when at least one tunnel is up. Always – Gateway always responds to the ICMP request from the peer.

Note: The ICMP probe parameters are optional and recommended only if you want to use ICMP to check the health of the Gateway. With BGP support on the Partner Gateway, using ICMP probe for failover and route convergence is no longer required. For additional information on configuring BGP support and handoff settings for a Partner Gateway, see Configure Hand-off Operator.

Upgrade Orchestrator for Dual Stack Support

To upgrade Orchestrator to release 5.0.0 to support dual stack, perform the following:

Upgrade Orchestrator to release 5.0.0.

Add IPv6 address in Orchestrator Shell. The following example shows a sample configuration:

vcadmin@vco:~$ cat /etc/netplan/50-cloud-init.yaml network: ethernets: eth0: addresses: [169.254.8.2/29, 'fd00:aaaa:0:1::2/64'] routes: - {metric: 1, to: 0.0.0.0/0, via: 169.254.8.1} - {metric: 1, to: '0::0/0', via: 'fd00:aaaa:0:1::1'} renderer: networkd version: 2

In the Operator portal, navigate to Administration > Operator Profiles , and select a Profile.
In the Operator Profiles page of the selected Profile, navigate to the Management Settings section and enter the IPv6 address configured in Orchestrator Shell.

Figure 11. Configure Dual Stack Support
Select Save Changes.

Configure IPv6 Address on Gateways

Ensure that the Orchestrator is running version 5.0.0 as described in Upgrade Orchestrator for Dual Stack Support.

You can provision a Gateway with both IPv4 and IPv6 addresses.

Deploy VeloCloud Gateway on AWS.
Consider the following guidelines while deploying Gateways on AWS.
- While migrating Gateways on cloud, it is recommended to destroy and create new instance of Gateways with the IPv6 option enabled.
- When a VeloCloud Gateway is freshly deployed with a AWS c5.4xlarge instance type from the AWS portal with IPv6 option selected, it is required to only use the static mode of IPv4/IPv6 address assignment on interfaces for the Gateway because VeloCloud SD-WAN does not support DHCP on the Gateway side.
Setup IPv6 Address on Gateways for a new deployment.
1. Create a Gateway pool with IP version type as IPv4 and IPv6.
2. Deploy a new Gateway with version 5.0.0. You can configure IPv4 and IPv6 addresses on public interface using netplan, if IPv6 is not available in metadata.
  The following example shows a sample configuration:
```
vcadmin@vcg2:~$ cat /etc/netplan/50-cloud-init.yaml network: ethernets: eth0: addresses: [169.254.10.2/29, 'fd00:ff01:0:1::2/64'] routes: - {metric: 1, to: 0.0.0.0/0, via: 169.254.10.1} - {metric: 1, to: '0::0/0', via: 'fd00:ff01:0:1::1'} eth1: addresses: [101.101.101.11/24] routes: - {metric: 2, to: 0.0.0.0/0, via: 101.101.101.10} eth2: addresses: [192.168.0.111/24] renderer: networkd version: 2 vcadmin@vcg2:~$
```
3. After updating the netplan, run sudo netplan apply to apply the configuration.
```
vcadmin@vcg2:~$ sudo netplan apply vcadmin@vcg2:~$
```
4. Activate the Gateway using IPv4 address of the Orchestrator. If the Orchestrator is provisioned with dual stack, you can activate the Gateway using either IPv4 or IPv6 address of the Orchestrator.
  After activating, the Orchestrator will push both the IPv4 and IPv6 information to Edges.
5. Upgrade the Software version of Edge to version 5.0.0. Once the Edges are upgraded, the Orchestrator enables options to setup IPv6-related device settings.
Setup IPv6 Address on Gateways upgraded from the previous release.
1. Upgrade the Gateways to release 5.0.0.
2. In Gateway shell, update the netplan configurations with IPv6 address. The following example shows a sample configuration:
```
vcadmin@vcg2:~$ cat /etc/netplan/50-cloud-init.yaml network: ethernets: eth0: addresses: [169.254.10.2/29, 'fd00:ff01:0:1::2/64'] routes: - {metric: 1, to: 0.0.0.0/0, via: 169.254.10.1} - {metric: 1, to: '0::0/0', via: 'fd00:ff01:0:1::1'} eth1: addresses: [101.101.101.11/24] routes: - {metric: 2, to: 0.0.0.0/0, via: 101.101.101.10} eth2: addresses: [192.168.0.111/24] renderer: networkd version: 2 vcadmin@vcg2:~$ vcadmin@vcg2:~$ sudo netplan apply vcadmin@vcg2:~$
```
3. In the Orchestrator portal, navigate to the Gateways page and select the upgraded IPv4 Gateway.
4. In the Overview page of the selected Gateway, under the Status section enter the IPv6 address configured in the Gateway Shell.
  
  For additional information, see Configure Gateways.
The Orchestrator will push the IPv6 configurations to the Edges.
Upgrade the Software version of Edge to version 5.0.0. Once the Edges are upgraded, the Orchestrator enables options to setup IPv6-related device settings.
You must rebalance Gateways at the Edge level or for the entire Enterprise Customer, for the Edges to get the IPv6 information of Gateway from Orchestrator.
For additional information, refer to the following topics:

Partner Gateways

Partner Gateway can be configured with multiple subnets, each of which can be configured with a hand-off of NAT or VLAN. Each subnet can also be configured with a relative cost and whether the traffic should be encrypted or not.

The examples below illustrate two use cases for Partner Gateways configuration.

Gateway Configuration Use Case #1

In the following illustration, a Gateway is connected over VLAN/VRF mode to a VRF that has no access to the public Internet. However, the Partner Gateway must be able to contact the Orchestrator in the public cloud, and there must be a path to reach the cloud. The Gateway can selectively NAT certain traffic (such as the IP address of an Orchestrator, or the subnets used to reach public DNS servers) even though it is operating in VLAN/VRF mode.

Figure 12. Partner Gateway Configuration Use Case Topology 1

#1- Orchestrator traffic is routed using IP addresses to NAT.
#2- Corporate Traffic is routed through subnets to VLAN/VRF.

Gateway Configuration Use Case #2

It is common for a Partner Gateway to tie into a corporate network, providing connectivity to legacy sites. This need can occur even when not all corporate sites have been converted to Aristanetwork. For this use case, it is necessary to specify traffic by subnet on the Partner Gateway. Each subnet can also be configured to encrypt network traffic.

The following illustration shows an example where only the traffic to legacy sites is encrypted. If the Gateway is already configured with a 0.0.0.0/0 subnet to allow all traffic (which is a common configuration), all that would be required is to add the private subnet for your legacy sites and mark it as encrypted.

Figure 13. Partner Gateway Configuration Use Case Topology 2

#1- Subnet (e.g., 10.0.0.0/8) defined for Legacy Sites and marked for encryption. Traffic is transmitted between Edge and Gateway over the IPsec tunnel.
#2- Remaining traffic is sent unencrypted to the Edge, and then to its final destination.

Note:

For an IPsec tunnel via Partner Gateway, the VCMP tunnel failure causes the existing flows to timeout. The expected behavior for existing flows is to remain on the current path. Any new flow will begin to go (direct) causing the tunnel to remain down.
Use application map flags mustUseGateway and dropIfPartnerGatewayDown to force or drop traffic through the Gateway until the path is restored. If these flags are not active, a flow flush is required once tunnel path is restored.

Partner Gateway Resiliency

The Partner Gateway provides resiliency by detecting failures and failing over to an alternate Partner Gateway. This includes the ability of a Partner Gateway to detect failure conditions and for the surrounding infrastructure to detect failures of the Gateway itself.

Consider the following Gateway topology:

This figure shows three distinct failure zones:

Table 7. Gateway Failure Zones
Failure Zone	Component	Description
1	Provider Edge	The Provider Edge is one instance in which failure can be detected either from the Provider Edge router pinging the Gateway, or from the Gateway to the Provider Edge router.
2	Call Controller	The Gateway should be able to ping the Provider Edge router or Call Controller to verify connectivity.
3	WAN	The Gateway should have a stateful ping responder that responds only if the WAN zone is available.

The following figure shows a typical failure scenario that occurs between the Gateway and Provider Edge router and describes the activity that occurs.

Figure 15. Partner Gateway Failure Scenario

The Partner Gateway also supports configurable route costs to allow for more flexible failure scenarios. Finally, there is an additional hand-off type required where neither NAT nor VLAN tags are applied to the packets and they are simply passed through to the Provider Edge router.

ICMP Failover Probes

This section discusses ICMP failover probes.

In order to address a failure in zones #1 or #2 of the Gateway topology diagram, the Gateway supports the optional ability to send failover probes. These probes will ping a single destination IP address at the specified frequency. If the threshold for successive missed ping replies is exceeded, the VeloCloud Gateway will mark the Gateway’s routes as unreachable. While the routes are marked as unreachable due to this probe failure state, probes continue to be sent. If the same threshold is exceeded for successive successful pings replies, the Gateway will mark the routes as reachable again.

Example Scenario

For example, consider the case in which a user has configured a frequency of two seconds and a threshold of three.

VeloCloud Edges connect to the primary Gateway. The primary Gateway marks routes as reachable.
The Primary Gateway fails to receive a reply for three successive probes (~6 seconds).
The Primary Gateway marks routes as unreachable and communicates this to all connected Edges.
Edges begin routing Gateway traffic via the alternate Gateway.
Connectivity is restored and the primary Gateway receives three successive replies from probes.
The Primary Gateway marks routes as reachable and communicates this to all connected Edges.
Edges route traffic back through the primary Gateway.

This could be used in failure scenario #1 to ping an IP address on the Provider Edge router itself. This could be used in failure scenario #2 to ping the actual Call Controller.

Stateful Ping Responder

To address a failure in zone #2 or #3 of the Partner Gateway topology diagram, the Gateway supports an optional stateful ping responder. This allows the configuration of a virtual IP address (which must be different from the interface IP address) within the Gateway that will, based on configuration, either respond to pings always ( Gateway service is running) or conditionally based on WAN connectivity (the Gateway has VPN tunnels connected).

This can be used in failure scenario #1 by having the Provider Edge router ping the ping responder, as the Gateway becoming unreachable would cause the IP SLA on the Provider Edge router to fail. This could also be used in failure scenario #3 by having the Gateway only respond if VPN tunnels are connected- this is similar to the behavior with BGP (no clients connected means no client routes).

Figure 16. ICMP Failover Probes Scenario

The Partner Gateway will respond back to the Provider Edge (PE) router ICMP request based on the IP SLA configured in the PE router. The Stateful Ping Responder PE router should be configured as shown below with proper VLAN tag information.

!IP-SLA configuration to send ICMP request to gateway virtual IP ip sla 1 icmp-echo 192.168.10.10 source-ip 192.168.10.1 vrf CUSTOMER1 threshold 1000 timeout 1000 frequency 2 ip sla schedule 1 life forever start-time now !tracking the IP SLA for its reachability track 1 ip sla 1 reachability !all the routes will reachable only when SLA probe succeeds ip route vrf CUSTOMER1 0.0.0.0 0.0.0.0 192.168.11.101 track 1 ip route vrf CUSTOMER2 0.0.0.0 0.0.0.0 192.168.12.101 track 1 ip route vrf CUSTOMER1 10.0.0.0 255.0.0.0 192.168.10.10 track 1 ip route vrf CUSTOMER2 10.0.0.0 255.0.0.0 192.168.10.10 track 1 ip route vrf CUSTOMER1 192.168.100.0 255.255.255.0 192.168.10.10 track 1

Caveats When Using NAT Hand-off Mode

When using NAT hand-off mode, consider the following caveats:

For VLAN hand-off mode, the Partner Gateway can listen on any IP if it is reachable to the PE router (including its interface IP). For NAT hand-off mode, the Partner Gateway will not respond if the ICMP request comes to its own interface (WAN) IP address.
Reverse flow is not supported in the NAT hand-off mode.

Active/Backup Subnets

This section describes how to configure active and backup subnets for a Partner Gateway.

Subnets on a Partner Gateway

Subnets configured on a Partner Gateway are input as subnets and optional descriptions. A Cost field is included to allow for weighting between routes. Lower-cost routes are preferred over higher-cost routes. The following figure shows Cost settings per subnet.

Figure 17. Cost Settings Per Subnet on a Partner Gateway

Monitor Gateways

You can monitor the status and network usage data of Gateways available in the Operator portal.

To monitor the Gateways:

In the Operator portal, select Gateway Management > Gateways .
The Gateways page displays the list of available Gateways.

Figure 18. Gateways Screen
Select Map Distribution to expand and view the locations of the Gateways in the Map. By default, this view is collapsed.
You can also select the arrows prior to each Gateways name to view more details.
The page displays the following details:
- Name – Name of the Gateways.
- Status – Current status of the Gateways. The status may be one of the following: Connected, Degraded, Never Activated, Not in Use, Offline, Out of Service, or Quiesced.
- CPU – Percentage of CPU utilization by the Gateways.
- Memory – Percentage of memory utilization by the Gateways.
- Edges – Number of Edges connected to the Gateways.
- Service State – Service state of the Gateways. The state may be one of the following: Historical, In Service, Out of Service, Pending Service, or Quiesced.
- IP Address – The IP Address of the Gateways.
- Location – Location of the Gateways.
In the Search field, enter a term to search for specific details. Select the Filter icon to filter the view by a specific criterion.
Select the CSV option to download a report of the Gateways in the CSV format.
Select the link to a Gateway to view the details of the selected Gateway.

Figure 19. View Gateway Overview

The Overview tab displays the properties, status, location, customer usage, and Gateway Pool of the selected Gateway.

Note: In the Overview tab, you can modify the Name and Description of the selected Gateway, and choose a different Service State. To configure the other options, navigate to the Gateways page in the Operator portal.
Select the Monitor tab to view the usage details of the selected Gateways.
Figure 20. Monitor Network Usage of Gateways

At the top of the page, you can choose a specific time period to view the details of the Gateway for the selected duration.
The page displays graphical representation of usage details of the following parameters for the period of selected time duration, along with the minimum, maximum, and average values.
- CPU Percentage – Percentage of usage of CPU.
- Memory Usage – Percentage of usage of memory.
- Flow Counts – Count of traffic flow.
- Over Capacity Drops – Total number of packets dropped due to over capacity since the last sync interval. Occasional drops are expected, usually caused by a large burst of traffic. However, a consistent increase in drops usually indicates a Gateway capacity issue.
- Tunnel Count – Count of tunnel sessions for both the IPv4 and IPv6 addresses.
Hover the mouse on the graphs to view additional details.

SD-WAN Gateway Migration

VeloCloud Orchestrator provides a self-service migration functionality that allows you to migrate from your existing Gateway to a new Gateway without your Operator’s support.

Gateway migration may be required in the following scenarios:

Achieve operational efficiency.
Decommission old Gateways.

Gateways are configured with specific roles. For example, a Gateway with data plane role is used to forward data plane traffic from source to destination. Similarly, a Gateway with Control Plane role is called a Super Gateway and is assigned to an Enterprise. Edges within the Enterprise are connected to the Super Gateway. Also, there is a Gateway with Secure VPN role that is used to establish an IPSec tunnel to a Non SD-WAN destination (NSD). The migration steps may vary based on the role configured for the Gateway. For additional information about the Gateway roles, see the “Configure Gateways” section in the Arista VeloCloud SD-WAN Operator Guide.

The following figure illustrates the migration process of the Secure VPN Gateway:

Figure 21. Secure VPN Gateway Migration Process

In this example, an SD-WAN Edge is connected to an NSD through a Secure VPN Gateway, VCG1. The VCG1 Gateway is planned to be decommissioned. Before decommissioning, a new Gateway, VCG2 is created. It is assigned with the same role and attached to the same Gateway pool as VCG1 so that VCG2 can be considered as a replacement to VCG1. The service state of VCG1 is changed to Quiesced. No new tunnels or NSDs can be added to VCG1. However, the existing assignments remain in VCG1. Configuration changes with respect to the IP address of VCG2 are made in the NSD, an IPSec tunnel is established between VCG2 and NSD, and the traffic is switched from VCG1 to VCG2. After confirming that VCG1 is empty, it is decommissioned.

Following is the high-level workflow of Secure VPN Gateway migration based on the User roles:

Figure 22. Secure VPN Gateway Migration Workflow

Limitations of VeloCloud Gateway Migration

Keep in mind the following limitations when you migrate your Gateways:

Self-service migration is not supported on Partner Gateways.
There will be a minimum service disruption based on the time taken to switch Non SD-WAN Destinations (NSDs) from the quiesced Gateway to the new Gateway and to rebalance the Edges connected to the quiesced Gateway.
If the NSD is configured with redundant Gateways and one of the Gateways is quiesced, the redundant Gateway cannot be the replacement Gateway for the quiesced Gateway.
During self-service migration of a quiesced Gateway, the replacement Gateway must have the same Gateway Authentication mode as the quiesced Gateway.
For a customer deploying a NSD via Gateway where BGP is configured on the NSD, if the customer migrates the NSD to a different Gateway using the Self-Service Gateway Migration feature on the Orchestrator, the BGP configurations are not migrated and all BGP sessions are dropped post-migration.
In this scenario, the existing Gateway assigned to the NSD is in a quiesced state and requires migration to another Gateway. The customer then navigates to Service Settings > Gateway Migration on the Orchestrator and initiates the Gateway Migration process to move their NSD to another Gateway. Post-migration, the BGP Local ASN & Router ID information is not populated on the new Gateway and results in NSD BGP sessions not coming up with all routes being lost and traffic using those routes is disrupted until the user manually recreates all BGP settings.

This is a Day 1 issue and while the Gateway Migration feature accounts for many critical NSD settings, the NSD's BGP settings that are not accounted for, and their loss post-migration is an expected behavior.

Workaround: The migration of a Gateway should be done in a maintenance window only. Prior to the migration, the user should document all BGP settings and be prepared to manually reconfigure these settings post-migration to minimize impact to customer users.

Quiesce Gateways

When you choose to decommission a Gateway, you must change the Gateway to Quiesced state so that no new tunnels or NSDs can be configured on the Gateway. Ensure that you have Operator Super User role to quiesce Gateways.

Before you quiesce the existing Gateway, ensure that you create a new Gateway as a replacement. Assign the new Gateway with the same role and attach it to the same Gateway pool as the existing Gateway. For instructions, see the “Configure Gateways” section in the VeloCloud SD-WAN Operator Guide. Also, review the Limitations of VeloCloud Gateway Migration before you proceed with quiescing the Gateway.

Note: Arista recommends you to use the self-service migration feature for NSD Gateway migration.

To quiesce the Gateway and enable self-service migration:

In the Operator portal, go to Gateway Management. The Gateways page lists the available Gateways.
Select the link of the Gateway that you want to quiesce. The details of the Gateway appears in the Overview tab.

Figure 23. Quiesce Gateways
In the Status section, from the Service State drop-down menu, select Quiesced.
Select the Enable Self-Service Migration check box.
From the New Gateway drop-down list, select the Gateway that you have created as a replacement to the Gateway that you are quiescing.
In the Migration Deadline date picker, select a date by when you want the Partners or direct customers to complete the migration. Ensure that the date is within 60 days from the current date.
Select Save Changes.

In the Gateways page, you can see that the Service State of the Gateway has changed to Quiesced.

Send decommission notification to Partners and direct customers who are impacted. The notification email provides the migration deadline and detailed instructions on how to migrate the Edges and NSDs from the quiesced Gateway to the new Gateway.

A notification icon is displayed for customers and Partners who have one or more Gateways that are in Quiesced service state. Also, a notification icon is displayed for Edges that are connected to a quiesced Gateway.

Note: Decommission notification email is sent only to direct customers and not to Partners’ customers.

Decommission Quiesced Gateways

Before you decommission the quiesced Gateways, ensure that there are no Edges or NSDs connected to the Gateway.

In case there are Partners or direct customers who have not yet migrated from the quiesced Gateways, follow-up with them to ensure that they migrate from the quiesced Gateway. Verify that the quiesced Gateway is empty and then decommission it.

To decommission a quiesced Gateway:

In the Operator portal, go to Gateway Management. The Gateways page lists the available Gateways.
Select the link of the Gateway that you want to decommission. The details of the Gateway appears in the Overview tab.

Figure 24. Decommission Quiesced Gateways
From the Service State drop-down list, select Out Of Service.
Select Save Changes.
Ensure that you remove the Gateway from the Gateway pool and delete the Gateway from Orchestrator.

Diagnostic Bundles for Gateways

Run diagnostics for Gateways to collect diagnostic bundles and packet capture files for troubleshooting purpose.

Request Diagnostic Bundles for Gateways
Request Packet Capture Bundle for Gateways

Request Diagnostic Bundles for Gateways

Diagnostic bundles allow users to collect all the configuration files and log files from a specific VeloCloud Gateway into a consolidated zipped file. The data available in the diagnostic bundles can be used for troubleshooting the Gateways.

As an Operator Super user and Operator Admin user, you can create, manage, download, and delete diagnostic bundles for Gateways created by both Operator and Partner users.

Note: Operator Business Specialist user and Operator IT support users can only view the generated Diagnostic bundles and download the CSV file.

To generate a new Diagnostic bundle:

In the Operator portal, select the Gateway Management tab and select Diagnostic Bundles in the left navigation pane.

The Diagnostic Bundles page appears with the existing diagnostic bundles.
To generate a new Diagnostic bundle, select Request Diagnostic Bundle.

In the Request Diagnostic Bundle dialog, configure the following details and select Submit.

Figure 25. Request Diagnostic Bundle Dialog

Table 8. Request Diagnostic Bundle Field Descriptions
Field	Description
Target	Select the target Gateway from the drop-down list. The data is collected from the selected Gateway.
Reason for Generation	Optionally, you can enter your reason for generating the bundle.
Core Limit	Select a Core Limit value from the drop-down, which is used to reduce the size of the uploaded bundle when the Internet connectivity is experiencing issues.

The Diagnostic Bundles page displays the details of the bundle being generated, along with the status.

To search a specific diagnostic bundle, enter a relevant search text in the Search box. For advanced search, select the filter icon next to the Search box to filter the results by specific criteria.

You can download the generated Diagnostic bundles to troubleshoot an Edge.
To download a generated bundle, select the link next to Complete in the Request Status column or select the bundle and select Download Bundle. The bundle is downloaded as a ZIP file.

You can send the downloaded bundle to a Arista Support representative for debugging the data.
The completed bundles get deleted automatically on the date displayed in the Cleanup Date column. You can select the link to the Cleanup Date or choose the bundle and select More > Update Cleanup Date to modify the Date.

Figure 27. Update Cleanup Date Dialog
1. In the Update Cleanup Date dialog, choose the date on which the selected Bundle would be deleted.
2. If you want to retain the Bundle, select the Keep Forever check box, so that the Bundle does not get deleted automatically.
3. To delete a bundle manually, select the bundle and select Delete.

Request Packet Capture Bundle for Gateways

The Packet Capture bundle collects the packets data of a network. These files are used in analyzing the network characteristics. You can use the data for debugging the network traffic and determining network status.

As an Operator Super user and Operator Admin user, you can create, manage, download, and delete Packet Capture (PCAP) bundles for Gateways created by both Operator and Partner users.

Note: Operator Business Specialist user and Operator IT support users can only view the generated PCAP bundles and download the CSV file.

To generate a PCAP bundle:

In the Operator portal, select the Gateway Management tab and select Diagnostic Bundles in the left navigation pane.

The Diagnostic Bundles page appears with the existing diagnostic bundles.
To generate a new PCAP bundle, select Request PCAP Bundle.

In the Request PCAP Bundle dialog, configure the following details and select Generate.

Table 9. Request PCAP Bundle Field Descriptions
Field	Description
Target	Choose the target Gateway from the drop-down list. The packets are collected from the selected Gateway.
Connectivity	Choose an Interface or an Edge ID from the drop-down list. The packets are collected on the selected Interface or Edge associated to the Gateway.
Duration	Choose the time in seconds. The packets are collected for the selected duration. The default value is 5 seconds.
Reason for Generation	Optionally, you can enter your reason for generating the bundle.
PCAP Filters	You can define PCAP filters by which you want to control the PCAP data to be generated by choosing the following options: IP1- Enter an IPv4 address, or IPv6 address, or Subnet mask. IP2- Enter an IPv4 address, or IPv6 address, or Subnet mask. IP1:Port1- Enter a Port ID associated with IP1. IP2:Port2- Enter a Port ID associated with IP2. Protocol- Select a protocol from the list. Note: If you choose to use the PCAP filtering capability then you must define at least one filter.
Advanced Filters	You can define free form filters by which you want to control the PCAP data to be generated.

The Diagnostic Bundles page displays the details of the PCAP bundle being generated, along with the status.

To download a generated bundle, select the link next to Complete in the Request Status column or select the bundle and select Download Bundle. The bundle is downloaded as a ZIP file.
The completed bundles get deleted automatically on the date displayed in the Cleanup Date column. You can select the link to the Cleanup Date or choose the bundle and select More > Update Cleanup Date to modify the Date.
To delete a bundle manually, select the bundle and select Delete.

VeloCloud SD-WAN 6.1 - Operator Guide

Manage Gateway Pools and Gateways