Manage Customers

The Manage Customers option allows you to create new Customers, configure the Customer capabilities, clone the existing configuration, and to configure other Customer settings.

  1. In the Operator portal, navigate to Customers & Partners > Manage Customers .
    Figure 1. Displaying Manage Customers
  2. Perform the following actions:
    Table 1. Manage Customers Option Descriptions
    Option Description
    Search Enter a search term to search for the matching text across the table. Use the advanced search option to refine the search results.
    New Customer Select this option to add a new Customer. For more information, see Create New Customer
    Clone Clones the existing configurations of the selected Customer. You can select any of the additional clone attributes. For more information, see Clone a Customer.
    Delete Deletes the selected Customers. Enter the number of selected Customers in the pop-up window, and then select Delete.
    Note: Ensure that you remove all of the Edges associated with the selected Customer before deleting the Customer.
    Edit Customer System Settings Allows editing the system settings for the customer. For more information, see the Enterprise Settings section in the VeloCloud SD-WAN Administration Guide.
    Stage to Bastion Select to stage a Customer to the Bastion Orchestrator.
    Note: Stage to Bastion and Unstage from Bastion options become available only after activating the Bastion Orchestrator feature using the session.options.enableBastionOrchestrator system property.

    For additional information, see Bastion Orchestrator Configuration Guide.

  3. Select More to perform the following actions:
    Table 2. Additional Option Descriptions
    Option Description
    Unstage from Bastion Removes a Customer from the Bastion Orchestrator.
    Edit Customer Edge Management Allows to edit the Edge Management feature for the selected Customers.
    Transfer to Partner Assigns the selected Customer to a Partner. You can select an existing Partner from the list.
    Release from Partner Releases the selected Customer from the Partner.
    Send Support Email Sends customer support messages to the selected Customer.
    Assign Operator Profile Adds an Operator Profile for the selected Customers.
    Note: This option becomes available only for an Enterprise with an activated Edge Image Management feature.
    Update Edge Image Management Activates or deactivates the Edge Image Management feature for the selected Customers.
    Update Operator Alerts Activates or deactivates the Operator alerts for the selected Customers.
    Update Customer Alerts Activates or deactivates the Customer alerts for the selected Customers.
    Rebalance Gateways Rebalances the Gateways of Edges associated with the selected Customer.
    Export All Customers Exports the details of all the Customers in the Operator portal to a CSV file. Use the default separator (,).
    Export Customers Edge Inventory Exports the inventory details of all the Edges associated with all the Customers to a CSV file. Use the default separator (,).
  4. Following are the other options available in the Manage Customers area:
    Table 3. Manage Customers Option Descriptions
    Option Description
    Columns Select this option and select the check boxes to view the required columns.
    Refresh Select this option to refresh the page.

Creating a New Customer

In the Operator portal, you can create Customers and configure the Customer settings. Only Operator Super Users and Operator Standard Admins can create a new Customer. As an Operator Super User, you can temporarily deactivate creating new Customers by setting the system property session.options.disableCreateEnterprise to True. You can use this option when Orchestrator exceeds the usage capacity.

  1. In the Operator portal, go to Customers & Partners > Manage Customers , and then select New Customer. The New Customer page displays:
    Customer Information:
    Figure 2. Displaying Customer Information
  2. Enter the details in the following fields and select Next.
    Note: The Next button activates only when you enter all of the mandatory details.
    Table 4. New Customer option Description
    Option Description
    Company Name Enter your company name.
    Account Number Enter a unique identifier for the Customer.
    SASE Support Access This check box is selected by default, and grants access to the Arista Support to view, configure, and troubleshoot the Edges connected to the Customer.

    For security reasons, the Support cannot access or view the user identifiable information.
    SASE User Management Access Select the check box to allow Arista Support to assist in User Management. The User Management includes options to create users, reset password, and configure other settings. In this case, the Support has access to user identifiable information.
    Location Enter relevant address details in the respective fields.
  3. The Administrative Account displays:
    Figure 3. Configuring the Administrative Account
  4. Enter the details in the following fields and select Next.
    Note: The Next button activates only when you enter all of the mandatory details.
    Table 5. Administrative Account Option Description
    Option Description
    Username Enter the username in the This email address is being protected from spambots. You need JavaScript enabled to view it. format.
    Password Enter a password for the Administrator.
    Note: Starting from the 4.5 release, the use of the special character "<" in the password is no longer supported. In cases where users have already used "<" in their passwords in previous releases, they must remove it to save any changes on the page.
    Confirm Password Re-enter the password.
    First Name Enter the first name.
    Last Name Enter the last name.
    Phone Enter a valid phone number.
    Mobile Phone Enter a valid mobile number.
    Contact Email Enter the email address. The alerts on service status are sent to this email address.
  5. Selecting Next displays the Services section:
    Figure 4. Configuring the Services
  6. Configure the following Global Settings:
    Table 6. Global Settings Option Descriptions
    Option Description
    Domain Enter the domain name to use when activating Single Sign On (SSO) authentication for the Orchestrator.
    Gateway Pool Select an existing Gateway pool from the list.

    For more information, see Manage Gateway Pools.
    Feature Access You can select either Role Customization or Premium Service or both.
    Allow Customer to Manage Software Select the check box to allow an Enterprise Super User to manage the software images available for the Enterprise. Once selected, the Software Image field displays. Select Add and in the Select Software/Firmware Images pop-up window, select and assign the software/firmware images from the available list for the Enterprise. Select Done to add the selected images to the Software Image list.
    Note: You can remove an assigned image from an Enterprise if no Edges in the Enterprise currently use the image is not currently.

    For more information, see Platform and Modem Firmware and Factory Images and Software Images.
    Operator Profile Select an Operator profile to associate with the Customer from the available list. This field does not display if you select Allow Customer to Manage Software.

    For more information on Operator profiles, see Manage Operator Profiles.
  7. Service Access: Available above the Global Settings section. You can choose the services that the Customer can access along with the roles and permissions available for the selected service.
    Note: This option becomes available only when you set the system property session.options.enableServiceLicenses to True.
  8. SD-WAN- When you select this service, the following options become available:
    Table 7. Service Access Option Description
    Option Description
    Default Edge Authentication Choose the default option to authenticate the Edges associated with the Customer from the list.
    • Certificate Deactivated: Edge uses a pre-shared key mode of authentication.
    • Certificate Acquire: Selected by default and instructs the Edge to acquire a certificate from the certificate authority of the Orchestrator by generating a key pair and sending a certificate signing request to the Orchestrator. Once acquired, the Edge uses the certificate for authentication to the Orchestrator and for establishment of VCMP tunnels.
      Note: After acquiring the certificate, the option can be updated to Certificate Required.
    • Certificate Required: Edge uses the PKI certificate. Operators can change the certificate renewal time window for Edges using the system property edge.certificate.renewal.window.
    Edge Licensing Select Add and in the Select Edge Licenses pop-up window, select and assign the Edge licenses from the available list for the Enterprise.
    Note: The license types can be used on multiple Edges. Arista Networks recommends providing your customers with access to all types of licenses to match their edition and region.

    For more information, see Edge Licensing.
    Feature Access Select the Stateful Firewall check box to override the Stateful Firewall settings activated on the Enterprise Edge.
  9. After entering all the details, select Add Customer.
    If you want to add another customer, you can select Add another Customer before selecting Add Customer. The new Customer name displays on the Customers page. Select the Customer name to navigate to the Enterprise portal and add configurations to the Customer.

    For more information, see Configure Customers.

Cloning a Customer

Clone the configurations from an existing customer and create a new customer with the cloned settings.

Only Operator Super users and MSP Super users can clone a customer.

By default, the following configurations clone from the selected customer:
  • Enterprise configuration profiles
  • Enterprise network services and objects such as the following:
    • DNS services
    • Private network names
    • Network Segments
  • Customer capabilities
  • Edge authentication scheme
  • Address groups and Port groups
Note: Distributed Cost Calculation does not copy to the cloned Enterprise.
You cannot clone an Enterprise if it consists of the following:
  • Profile with Edge references such as hubs and clusters
  • Profile containing Partner Gateway References
  • Cloud Security Service enabled
  • Non SD-WAN Destinations
  • VNF or VNF licenses
  • Authentication services
  • NetFlow objects like collectors or filters

Log into the VeloCloud Edge Cloud Orchestrator as an Operator user. Navigate to Customers & Partners > Manage Customers .

  1. On the Customers page, select the customer to clone, and then select Clone .
  2. The Clone Customer page displays:
    Figure 5. Cloning a Customer
  3. Configure the Customer Information and Administrative Account details, and Services. For more information, see Create New Customer.
  4. Select Add Customer.
    The new customer name displays on the Customers page. The customer has the cloned settings. You can select the customer name to navigate to the Enterprise portal and add or modify the configurations. For more information about customer configurations and settings, see Configure Customers.

Configure Customers

After creating a Customer, configure the feature options and settings that the Customer can access. As an Operator, select the settings the Customer can modify.

When you create a new Customer, the page redirects you to Customer Configuration where youconfigure the Customer settings. You can also navigate to the Customer Configuration page directly from the Operator portal, by following the steps below:

  1. In the monitoring and configuration options page, select a Customer, and from the top header, select SD-WAN > Global Settings .
  2. From the left menu, select Customer Configuration to display the page:
    Figure 6. Displaying Customer Configuration
  3. The Service Configuration section includes the SD-WAN service. Select Turn On to activate the service. Select the vertical ellipsis present at the top right corner of the tile to turn off or configure the service. You can also use the Configure option to configure the respective service. The tile displays the configuration summary.
    Note: When you select Turn off option, a pop-up window displays to confirm the option.
    Note: select Turn Off Service.

Configuring SD-WAN

Select Configure to display the SD-WAN Configuration section. Configure the settings and then select Update.
Figure 7. Configuring SD-WAN
 
Option Description
Domain Enter the domain name used to activate Single Sign On (SSO) authentication for the Orchestrator.
Default Edge Authentication Choose the default option to authenticate the Edges associated to the Customer, from the menu.
  • Certificate Deactivated - Edge uses a pre-shared key mode of authentication.
  • Certificate Acquire - Selected by default and instructs the Edge to acquire a certificate from the certificate authority of the Orchestrator by generating a key pair and sending a certificate signing request to the Orchestrator. Once acquired, the Edge uses the certificate for authentication to the Orchestrator and for establishment of VCMP tunnels.
    Note: After acquiring the certificate, the option can be updated to Certificate Required.
  • Certificate Required: Edge uses the PKI certificate. Operators can change the certificate renewal time window for Edges using the system property edge.certificate.renewal.window.
Edge Licensing Displays the existing Edge Licenses. Select Add to add or remove the licenses.
Note: The license types can be used on multiple Edges. Arista Networks recommends providing your Customers with access to all types of licenses to match their edition and region. For more information, see Edge Licensing.
Allow Customer to Manage Software Select the check box to allow an Enterprise Superuser to manage the software images available for the Enterprise. For more information, see the topic Edge Image Management in the VeloCloud SD-WAN Administration Guide.
Operator Profile Select an Operator profile from the menu to associate with the Customer. This field does not display if you select Allow Customer to Manage Software. For more information on Operator profiles, see Manage Operator Profiles.
Maximum Number of Segments Enter the maximum number of segments that can be configured. The valid range is 1 to 16 with a default value of 16.

Configuring Additional Settings

  1. Additional configuration settings available on the Customer Configuration page:
    Table 8. Customer Configuration Option Descriptions
    Option Description
    Global
    User Agreement Display Select either of the following from the drop-down menu:
    • Inherit
    • Override to Hide
    • Override to Show
    Note:
    This field displays only when you set the system property session.options.enableUserAgreements to True.
    Feature Access Provides access to the selected features. Select one or more from the list to activate these features for the Customer:
    • Enterprise Auth- By default, only the Operator can activate or deactivate two-factor authentication for an Enterprise. When you select this option, the Enterprise Admins can configure the two-factor authentication. This option also controls the activation and deactivation of Single Sign On (SSO).
    • Enable Premium Service- Selected by default. Premium Service refers to the On-Demand Remediation feature that is a core part of SD-WAN Dynamic Multipath Optimization (DMPO). All traffic that traverses a VeloCloud Gateway uses DMPO. When selected, the Gateway uses Forward Error Correction (FEC) for customer traffic impacted by high levels of WAN link jitter or loss, and cannot be steered to a better quality WAN link. When not selected, traffic still traverses the VeloCloud Gateway and benefit from other components of DMPO like Continuous Monitoring, Dynamic Application Steering, and Secure Traffic Transmission. However, traffic impacted by high levels of WAN link jitter or loss does not benefit from error correction by the Gateway. For more information, see the topic Dynamic Multipath Optimization (DMPO) in the VeloCloud SD-WAN Administration Guide.
    • Role Customization- Allows an Enterprise Super user to customize the role privileges for other Enterprise users.
    • Route Backtracking- Allows the device to choose the best route in the order of prefix length.
    • In-product Contextual Help Panel- Provides access to the 'In Product Help' panel integrated within the Orchestrator. This feature is deactivated by default. An Operator must activate this option for the Enterprise Customers.
    • Enable Firewall Logging to Orchestrator- By default, Edges cannot send Firewall logs to the Orchestrator. Select this option to allow an Edge to send the Firewall logs to the Orchestrator.
    • Customizable QoE- Allows the Customer to configure the minimum and maximum latency threshold values for Voice, Video, and Transactional application categories of an Edge.
    • Enable Classic Orchestrator UI- Allows the Customer to switch from the Angular Orchestrator UI to the Classic Orchestrator UI. This option becomes available only when you set the system property session.options.enableClassicOrchestrator to True.
    Delegate Management To Customer Allows the Customer to modify the settings of the selected property.
    • Enable CoS Mapping- Allows to configure CoS mapping while configuring a business policy.
    • Enable Service Rate Limiting- Allows to rate limit services in a business policy.
    Gateway Pool
    Current Gateway Pool Displays the current Gateway pool associated with the selected Customer. If required, you can select a different available Gateway pool and select Save Changes.
    Gateways in this Pool Displays the Gateway details in the current pool.
    Partner Hand Off Activating the Gateway Pool option displays the Configure Hand Off section. If the Gateways available in the Gateway pool have been assigned with Partner Gateway role, you can handoff the Gateways to Partners. For details, see Configure Partner Gateway Handoff to Production Orchestrator Configure Partner Handoff.
    Security Policy
    Hash By default,no authentication algorithm is configured for the VPN header as AES-GCM is an authenticated encryption algorithm. When you select Turn off GCM, you can select one of the following as the authentication algorithm for the VPN header:
    • SHA 1
    • SHA 256
    • SHA 384
    • SHA 512
    Encryption Select either AES 128 or AES 256 as the AES algorithm's key size to encrypt data. The default encryption algorithm mode is AES 128.
    DH Group Select the Diffie-Hellman (DH) Group algorithm to be used when exchanging a pre-shared key. The DH Group sets the strength of the algorithm in bits. The supported DH Groups are 2, 5, 14, 15, 16, 19, 20, and 21.
    Note:
    • DH Groups 19, 20, and 21 are available starting from Release 5.2.0.
    • Arista Networks recommends to using DH Group 14, the default value.
    PFS Select the Perfect Forward Secrecy (PFS) level for additional security. The supported PFS Groups are 2, 5, 14, 15, 16, 19, 20, and 21. PFS Groups 19, 20, and 21 are available starting in Release 5.2.0. By default, PFS is deactivated.
    Turn off GCM Select to activate Hash and select an authentication algorithm for the VPN header.
    IPSec SA Lifetime Time(min) Time when Internet Security Protocol (IPSec) rekeying initiates for Edges. The minimum IPsec lifetime is 3 minutes and the maximum IPsec lifetime is 480 minutes. The default value is 480 minutes.
    Note: Arista Networks does not recommend configuring a lifetime value less than 10 minutes for IPsec as it can cause traffic interruption in some deployments due to rekeys. Use the low lifetime values for debugging purposes only.
    IKE SA Lifetime(min) Time when Internet Key Exchange (IKE) rekeying initiates for Edges. The minimum IKE lifetime is 10 minutes and maximum IKE lifetime is 1440 minutes. The default value is 1440 minutes.
    Note: Arista Networks does not recommendconfiguring low lifetime value of less than 30 minutes, as it can cause traffic interruption in some deployments due to rekeys. Use the low lifetime values for debugging purposes only.
    Secure Default Route Override Select the option so that the destination of traffic matching a secure default route, either Static Route or BGP Route, from a Partner Gateway can be overridden using a Business Policy.
    Edge Network Function Virtualization - Allows activation of an NFV on the Edges and allows Customers to deploy third party VNFs on service ready Edge platforms. Currently, the service ready Edge platform models are 520v and 840. As an Operator User, when you activate the Edge NFV, the Customers can configure and deploy VNFs and VNF licenses from their network services.
    Edge NFV Select this option to activate the ability to deploy VNFs on Edges. After deploying one or more VNFs on Edges, you cannot deactivate this option.
    Security VNFs Select the relevant options to deploy the corresponding security VNFs on Edges. For more information, see the topic Security VNFs in the VeloCloud SD-WAN Administration Guide.
    SD-WAN Settings
    OFC Cost Calculation Select the required check box:
    • Distributed Cost Calculation: Select this check box to delegate route cost calculation to Edges/Gateways.
      Note: This option displays only for the Edges/Gateways with version 3.4.0 and later. After activating Distributed Cost Calculation, Arista Networks recommends refreshing the routes by navigating to Configure > Overlay Flow Control in the SD-WAN service of the Enterprise portal. For more information, see Configure Distributed Cost Calculation.
    • Use NSD Policy- Select this option to use NSD policy for route cost calculation to Edges/Gateways.
      Note: This option displays only for the Edges/Gateways with version 4.2.0 and later.
    Multiple-DSCP tags per Flow Path Calculation Use when the original user traffic encapsulates in another tunnel (GRE/IPsec) and the DSCP labels save to the new IP header. The feature activates path calculation for a single flow (same source/destination) with multiple DSCP tags and offers path differentiations based on the DSCP values in the flow.

    Select the Include DSCP value as part of flow lookup check box to include DSCP values as part of flow look-up and path calculation. For more information, see Configure Path Calculation with Multiple DSCP Labels per Flow.

    Note: This field becomes available only when you set the system property session.options.enableFlowParametersConfig to True.
    Feature Access
    Stateful Firewall Select Stateful Firewall to override the Stateful Firewall settings activated on the Enterprise Edge.
    Enhanced Firewall Services Select Enhanced Firewall Services to activate the Enhanced Firewall Services using the Firewall functionality in VeloCloud Edge Cloud Orchestrator.
    Note: For Enhanced Firewall Services (EFS) to work, ensure you upgrade the Edge version to 5.2.0.0.
    Note: Clearing this option only deactivates the EFS feature in the UI. To deactivate the EFS feature for an existing customer, you must first deactivate the EFS feature in the SD-WAN service of the Enterprise portal by navigating to Configure > Profiles/Edges > Firewall > Firewall Feature Control > Enhanced Security and then by clearing this check box in Global Settings.
    For more information about configuring the various Enhanced Security Services and associating to a Firewall rule, see the topic Configure Enhanced Security Services in the VeloCloud SD-WAN Administration Guide.
  2. Select Save Changes.
     
Note: When you modify the Security Policy settings, the changes may cause interruptions to the current services. In addition, these settings may reduce overall throughput and increase the time required for VCMP tunnel setup which may impact branch to branch dynamic tunnel setup times and recovery from Edge failure in a cluster.

Configuring a Handoff Operator

You can configure a Gateway to hand off to Partners. The Gateway acts as a Partner Gateway that enables you to configure the Hand off Interface, Static Routes, BGP, and other settings.

Ensure that you assign the Gateway to hand off to the Partner Gateway Role. In the Orchestrator portal,Operator or Partner, select Gateways and select the link to an existing Gateway. In the Properties section of the selected Gateway Overview page, you can enable the Partner Gateway role.

Figure 8. Displaying Gateway Overview

To configure the handoff settings, perform the following steps:

  1. Log in to the Orchestrator as an Operator user.
  2. Navigate to Customers & Partners > Manage Customers .
  3. In the Manage Customerswindow, select the link of the desired customer.
  4. Go to Global Settings > Customer Configuration .
  5. In Customer Configuration, navigate to Additional Configuration and expand the Gateway Pool area.
  6. Enable Partner Hand Off.
  7. In Configure Hand Off, configure the following fields:
    Figure 9. Configuring Hand Off
    Table 9. Hands Off Option Descriptions
    Option Description
    Configure Hand Off By default, the hand off configuration applies to all the Gateways. If you want to configure a specific Gateway, choose Per Gateway, and then select the Gateway from the list.
    Segment By default, Global Segment is selected, which means that the hand off configuration applies to all of the segments. If you want to configure a specific segment, select the segment from the menu.
    Hand Off Interface This section displays the values configured on the Configure BGP and BFD page.
    Customer BGP Priority Select the check box and configure the Community Mapping details.
  8. At the bottom of the Per Customer Hand Off – Global Segment area, select the Configure BFD & BGP link.
    Figure 10. Per Customer Handoff with Global Segment
  9. Configure BGP and BFD displays:
    Figure 11. Configuring BGP and BFD
  10. Open the General & Hand Off Tag section and enable the BGP option.
    Figure 12. Enabling BGP
  11. Scroll down to the BGP section and select the arrow to display the BGP section.
  12. Configure the following fields:
    Table 10. BGP Option Descriptions
    Option Description
    Hand Off Tag
    Tag Type Choose the tag type for the encapsulation that the Gateway hands off customer traffic to the Router. Select from the following types of available tags :
    • None- Untagged. Select this option during single tenant hand off or a hand off towards shared services VRF.
    • 802.1Q- Single VLAN tag
    • 802.1ad / QinQ(0x8100) / QinQ(0x9100)- Dual VLAN tag
    Customer ASN Enter the Customer Autonomous System Number.
    Hand Off Interface - You can configure the following settings for IPv4 and IPv6.
    Local IP Address Enter the Local IP address for the logical Hand Off interface.
    Use for Private Tunnels Select this option so that private WAN links connectis to the private IP address of the Partner Gateway. If you activate private WAN connectivity on a Gateway, the Orchestrator audits to ensure that the local IP address has a unique value for each Gateway within an Enterprise.
    Advertise Local IP Address via BGP Select to automatically advertise the private WAN IP of the Partner Gateway through BGP. The connectivity is provided using the existing Local IP address.
    Static Routes - You can add, delete, or clone a static route.
    Subnets Enter the IP address of the Static Route Subnet the Gateway should advertise to the Edge.
    Cost Enter the cost, from 0 to255, to apply weighting on the routes.
    Encrypt Select to encrypt the traffic between Edge and Gateway.
    Hand off Select the hand off type as either VLAN or NAT.
    Description Optionally, enter a descriptive text for the static route.
    BFD - Enable to configure the following settings:
    Peer Address Enter the IP address of the remote peer to initiate a BFD session.
    Detect Multiplier Enter the detection time multiplier, from 3 to 50, to multiply the remote transmission interval to determine the detection timer for connection loss. The range is from 3 to 50.
    Receive Interval Enter the minimum time interval in milliseconds, from 300 to 60000, at which the system can receive the control packets from the BFD peer.
    Local Address Enter a locally configured IP address for the peer listener to send the packets.
    Transmit Interval Enter the minimum time interval in milliseconds, from 300 to 60000, that the system can send the control packets from the BFD peer.
    BGP - Enable this option to configure the following:
    Neighbor IP Enter the IP address of the configured BGP neighbor network.
    Secure BGP Routes Select to allow encryption for data-forwarding over BGP routes.
    Max-hop Enter the number of maximum hops to allow multi-hop for the BGP peers. The range for Max-hop has a range from 1 to 255 with the default value of 1.
    Note: Available only for eBGP neighbors, when the local ASN and the neighboring ASN have different values.
    Next Hop IP Enter the next-hop IP address used by BGP to reach the multi-hop BGP peer.
    Note: This option becomes available only for a multi-hop eBGP with a Max-hop count greater than 1.
    Neighbor-ASN Enter the Autonomous System Number of the Neighbor network.
    BGP Local IP Add a local IP address to use as the loopback IP address. Enter an IP address that the BGP neighborships can use as the source IP address for the outgoing BGP packets.
    Note: The BGP Local IP address must be from a different subnet than a handoff IP address.

    If you do not enter any value, the configuration uses the IP address of the Hand Off Interface as the source IP address.
    BGP Filter List Configure BGP filters.
    BGP Inbound Filters Assign filter to inbound.
    BGP Outbound Filters Assign filter to outbound.
    BGP Optional Settings
    BFD Select to subscribe to the BFD session.
    Router-ID Enter the Router ID to identify the BGP Router.
    Keep Alive Enter the BGP Keep Alive time in seconds with adefault timer of 60 seconds.
    Hold Timers Enter the BGP Hold time in seconds with a default timer of 180 seconds.
    Turn off AS-PATH Carry Over Select to turn off AS-PATH carry over which influences the outbound AS-PATH to enforce the L3-routers preference to a path towards a PE. If you select this option, ensure that you tune your network to avoid routing loops. It is recommended not to select this check box.
    MD5 Auth Select to activate BGP MD5 authentication. Used in a legacy network or federal network as a security guard for BGP peering.
    MD5 Password Enter a password for MD5 authentication.
    Note: Starting from the 4.5 release, Orchestrator no longer supports the use of the special character "<" in the password. In cases where users have already used "<" in passwords in previous releases, they must remove it to save any changes on the page.

Configuring Route Summarization

Route Summarization is new for the 5.2 release. For an overview, use case, and black hole routing details for Route Summarization, see the section titled, Route Summarization in the VeloCloud SD-WAN Administration Guide. For Route Summarization configuration details, follow the steps below:
  1. Navigate to the Route Summarization area in the BGP section.
    Figure 13. Configuring Route Summarization
  2. Configure the Route Summarization fields:
    Table 11. Route Summarization Option Descriptions
    Option Description
    +Add Select +Add to add a new row in the Route Summarization area.
    Note: To add additional rows to configure Route Summarization, select +Add. To Clone or Delete a route summarization, select the appropriate option located next to +Add.
    Subnet column Under the Subnet column, enter the IP subnet.
    AS Set column Generate AS set path information from the summarized routes while advertising the summarized route to the peer. Under the AS Set column, select Yes if applicable.
    Summary Only column Under the Summary Only column, select Yes to allow sending of only the summarized route.

     

  3. Select Update to save the settings.

Configure Distributed Cost Calculation

By default, the Orchestrator actively learns the dynamic routes. VeloCloud SD-WAN Edges and Gateways rely on the Orchestrator to calculate initial route preferences and return them to the Edge and Gateway. The Distributed Cost Calculation feature enables you to distribute the route cost calculation to the Edges and Gateways. Only an Operator user can configure Customer settings, including Distributed Cost Calculation.

Ensure the following before you activate the Distributed Cost Calculation feature.
  • All the Edges and Gateways must use software version 3.4.0 or later.
  • The software image associated with the Operator Profile must use version 3.4.0 or later.
Note: If experiencing an issue with Orchestrator-based route calculation, enable Distributed Cost Calculation.
This default method of using Orchestrator in both dynamic route calculation and the distribution of those routes to Edges and Gateways has the following limitations:
  • If the Orchestrator a high load of network traffic, the route convergence time becomes significantly higher. For example, as much as 40 seconds for 2000+ routes, as the Orchestrator takes that time to calculate the preference for all the synchronized routes and returns those preferences to the Edges and Gateways.
  • Using the Orchestrator for route calculation means that new dynamic routes learned while the Orchestrator became unreachable do not advertise until the Orchestrator becomes reachable again.

When a customer enterprise uses Distributed Cost Calculation, the Orchestrator does not actively involve in the route preference calculation and instead the Edge and Gateway properly insert routes in order instantly after learning them and then conveying these preferences to the Orchestrator.

When you enable Distributed Cost Calculation for the Edges and Gateways, the feature provides the following benefits:
  • Minimizes the impact on route learning when an Orchestrator becomes unreachable.
  • Reduces route convergence time from minutes to seconds in large networks with thousands of dynamic routes.
  • Significantly reduces network delays.
  • Provides instantaneous Data Plane convergence.
  • Supports enhanced re-ordering and pinning of routes on the Overlay Flow Control.
  • Provides an option to refresh routes in the Overlay Flow Control page. Whenever changes occur in the Overlay Flow Control policy, the Refresh Routes option applies the changes to the existing routes immediately, without the need to restart the Edge or Gateway.
Enabling Distributed Cost Calculation has the following impacts on the Customer Enterprise network:
  • All the local dynamic routes refresh and the preference and advertise action of these routes updated. This updated information advertises to the Gateway, Orchestrator, and eventually across the Enterprise. The customer's network completely rebuilds the route table which for most customer deployments takes less than 5 seconds. A large scale customer deployment, such as 100,000+ routes, may take up to 2 minutes. During the time the route table rebuilds it has an impact on customer traffic for all sites.
  • Any existing flow using these routes can potentially be affected due to the change in the routing entries.
Note: Arista Networks recommends enabling Distributed Cost Calculation in a maintenance window to minimize the impact on the Customer Enterprise.

To configure Distributed Cost Calculation for a customer, use the following steps:

  1. On the Operator portal, navigate to Manage Customers.
  2. Select a customer and either select Edit Customer System Settings or select the link to the customer.
  3. In the Enterprise portal, go to Global Settings > Customer Configuration .
    Figure 14. Configuring Distributed Cost Calculation
  4. On the Customer Configuration page, navigate to the Additional Configuration > SD-WAN Settings > OFC Cost Calculation section and configure the following:
    • Select Distributed Cost Calculation to delegate the cost calculation of routes to Edges and Gateways.
    • Select Use NSD Policy to use the Non SD-WAN Destination policy for route cost calculation of Edges and Gateways. Only available for Edges and Gateways running Software version 4.3.0 or later.
  5. Select Save Changes.
    Note: After enabling Distributed Cost Calculation, it is recommended to refresh the routes in the Overlay Flow Control page in the SD-WAN service of the Enterprise portal.
    Note: When an Enterprise has Distributed Cost Calculation activated and a user tries to deactivate the software update in the Operator Profile page, then the user must ensure, in future, no Edges in the Enterprise downgrade to software image versions lower than 3.4.0. If one or more Edges in the Enterprise use a software image version below 3.4.0, the Enterprise traffic may take a sub-optimal path. The sub-optimal path corrects only when the Edge upgrades to 3.4.0 or later versions.
    The following scenarios describe how the software versions may change and the user must make sure the Edges use software image version 3.4.0 or later:
    • Factory Reset - When an Edge resets to factory settings, it restores the software version of the Edge to factory image version which can be below 3.4.0.
    • Edge Activation - When an Edge activates, it may come up with software versions below 3.4.0.

    Once Distributed Cost Calculation activates, all the dynamic routes receive new preferences and advertise action based on the Distributed Cost Calculation and the new information propagates across the Enterprise Network.

    The Orchestrator no longer actively becomes involved with the route preference calculation and instead the Edge and Gateway instantly properly insert the routes in order after learning them and then these preferences convey to the Orchestrator.

    The Overlay Flow Control policy updates when the Edges and Gateways in the Control Plane Configuration update. Edges and Gateways send the routes with computed cost and advertise action to the Orchestrator. Edges and Gateways handle the order of the routes based on the cost and route attributes.

    To view a summary of all the routes in your network, select Configure > Overlay Flow Control in the SD-WAN service of the Enterprise portal. You can view the routes and advertise action in the Overlay Flow Control page. For more information, see the topic Overlay Flow Control in the VeloCloud SD-WAN Administration Guide.

Configure Path Calculation with Multiple DSCP Labels per Flow

By default, an Edge classifies a traffic flow based on the first packets in the flow. You can create business policies with application based on Differentiated Service Code Point (DSCP) and with different DSCP markings to determine the flow treatment.

Business Policy and QoS marking determine the flow treatment. Once the flow receives classification, the flow cache table creates an entry with five tuple information of the flow. Subsequent packets in the flow use the five-tuple lookup against the flow cache table.

For network topologies with Layer 3 network devices doing encapsulation and/or encryption before the traffic arrives at the Edge, this creates a challenge for the Edge to forward traffic based on the Business Policy. The traffic from the end users multiplexes into a single flow with the same source and destination IP addresses and protocols by the Layer 3 encapsulation/encryption device, as illustrated in the following image.

Figure 15. Traffic Flow

The impact of multiplexing end user flows into a single tunnel creates polarization of flow forwarding using the five tuples of flow cache table which results in WAN links not being utilized.

The Path Calculation with Multiple DSCP Labels per Flow allows the DSCP value to be included, in addition to the five tuples, as part of the flow cache table lookup. Use the path calculation with multiple DSCP tags when the original user traffic encapsulates in another tunnel such as GRE or IPsec, and the new IP header preserves the DSCP labels. This option enables path calculation for a single flow with multiple DSCP labels, which consists of same source and destination IP addresses, and offers path differentiations based on the DSCP labels in the flow.

When you enable the Multiple-DSCP tags per Flow Path Calculation, the Edges can differentiate the traffic flows based on the DSCP marked labels.

To enable Multiple-DSCP tags per Flow Path Calculation, use the following steps:

  1. In the Operator portal, select Orchestrator > System Properties .
  2. Select New.
  3. In the New System Property window, create a system property with the following parameters:
    • Name: session.options.enableFlowParametersConfig
    • Data Type: Boolean
    • Value: True
  4. Select Save Changes.
  5. On the Operator portal, navigate to Global Settings > Customer Configuration > .
  6. On the Customer Configuration page, go to the additional configuration settings section, and then under SD-WAN settings, select Include DSCP value as part of flow lookup for Multiple-DSCP tags per Flow Path Calculation.
    Note: This option becomes available only when you set the system property session.options.enableFlowParametersConfig to True.
  7. Select Save Changes.
  8. In the Edges, different DSCP labels create different flows.
    Note: When you select Include DSCP value as part of flow lookup, the inter-operability with previous versions becomes undefined.

    While configuring the business policy for an Edge, select matching a DSCP label for an application. For more information, see the topic Configure Business Policy Rule in the VeloCloud SD-WAN Administration Guide.

    When traffic arrives at the Edge, if the traffic flow matches with the selected application and DSCP tag, then the Edge performs the corresponding action.

    You can create more business policies with different DSCP labels to match with different traffic flows and apply different treatments for those flows. For more information on business policies, see the VeloCloud SD-WAN Administration Guide.

    Limitations

    • The path calculation with multiple DSCP labels per Flow does not apply to the Gateways. You can enable this option only for Edge-to-Edge tunnels where Edge-to-Edge can be any of the following:
      • Edge-to-Edge through Hub
      • Spoke-to-Hub
      • Dynamic Branch-to-Branch
      You can use this option for On-Premise deployment where Gateway uses only control plane functionality and does not use data plane traffic.
    • The path calculation with multiple DSCP labels per Flow is intended only for GRE or IPSec traffic. The direct Internet traffic does not carry multiple DSCP labels within a single flow.
    • After you enable the path calculation option, when the traffic flow consists of packets with same five-tuple information but different DSCP markings, LAN side NAT might not work as expected.