Manage Partner Customers

The Manage Partner Customers option allows you to create new Customers, configure the Customer capabilities, clone the existing configuration, and to configure other Customer settings. As a Partner Super User, you can choose the settings that the Partner Customer can modify.
  1. Login to the Orchestrator as a Partner. In the Partner portal, go to Customers & Partners > Manage Partners and from the Manage Partners page, select a Partner.
  2. Select Manage Partner Customers. The Manage Customers page appears.
    Note: You can also navigate to this page from the Operator portal, by selecting the link under the Partner column of a corresponding Customer. However, a Partner user does not have the same privileges as that of an Operator.
    Figure 1. Manage Partner Customers
  3. You can perform the following actions:
    Table 1. Partner Customers Option descriptions
    Option Description
    Search Enter a search term to search for the matching text across the table. Use the advanced search option to narrow down the search results.
    New Customer Select this option to add a new Customer. For additional information, see Create New Partner Customer.
    Clone Clones the existing configurations of the selected Customer. You can select any of the additional clone attributes. For additional information see Clone a Partner Customer.
    Delete Deletes the selected Customers. Enter the number of selected Customers in the pop-up window and select Delete.
    Note: Ensure that you have removed all the Edges associated with the selected Customer, before deleting the Customer.
    Edit Customer System Settings Allows you to edit the system settings for the customer. For additional information, see the " Enterprise Settings" section in the VeloCloud SD-WAN Administration Guide.
    Stage to Bastion Select to stage a Customer to the Bastion Orchestrator.
    Note: Stage to Bastion and Unstage from Bastion options are available only when the Bastion Orchestrator feature is activated using the session.options.enableBastionOrchestrator system property.

    For additional information, see Bastion Orchestrator Configuration Guide.

  4. Select More to perform the following actions:
    Table 2. Additional Option Descriptions
    Option Description
    Unstage from Bastion Removes a Customer from the Bastion Orchestrator.
    Edit Customer Edge Management Allows to edit the Edge Management feature for the selected Customers.
    Release from Partner Releases the selected Customer from the Partner.
    Send Support Email Sends customer support messages to the selected Customer.
    Assign Operator Profile Adds an Operator Profile for the selected Customers.
    Note: This option is available only for an Enterprise with an activated Edge Image Management feature.
    Update Edge Image Management Activates or deactivates the Edge Image Management feature for the selected customers.
    Update Operator Alerts Activates or deactivates the Operator alerts for the selected Customers.
    Update Customer Alerts Activates or deactivates the Customer alerts for the selected Customers.
    Export All Customers Exports the details of all the Customers in the Operator portal to a CSV file. The default separator used is comma (,) and you can choose to replace the separator with any other special character.
    Export Customers Edge Inventory Exports the inventory details of all the Edges associated with all the Customers to a CSV file. The default separator used is a comma (,).

     

  5. Following are the other options available in the Manage Customers area:
    Table 3. Additional Manage Customers Option Descriptions
    Option Description
    Columns Select this option and select the check boxes to view the required columns.
    Refresh Select this option to refresh the page.

Create New Partner Customer

In the Partner portal of the Orchestrator, you can create new Customers and configure the Customer settings. You can temporarily deactivate creating new Customers, by setting the system property session.options.disableCreateEnterpriseProxy to True. You can use this option when Orchestrator exceeds the usage capacity.
  1. Login to the Orchestrator as a Partner.
  2. In the Partner portal, go to Customers & Partners > Manage Partners and from the Manage Partners page, select a Partner.
  3. Select Manage Partner Customers. In the Manage Customers page appears, select New Customer.
  4. On the New Customer page, configure the following details:
    1. Enter the Customer Information details in the following fields and select Next.
      Note: The Next button is activated only when you enter all the mandatory details.
      Figure 2. Customer Information

       

      Table 4. Customer Information Option Descriptions
      Option Description
      Company Name Enter your company name.
      Account Number Enter a unique identifier for the Customer.
      New Partner Support Access Select the check box to allow the new Partner to view, configure, and troubleshoot the Customer's Edges.
      SASE Support Access This check box is selected by default, and grants access to the Arista Support to view, configure, and troubleshoot the Edges connected to the Customer.

      For security reasons, the Support cannot access or view the user identifiable information.
      SASE User Management Access Select the check box to allow the Arista Support to assist in User Management. The User Management includes options to create users, reset password, and configure other settings. In this case, the Support has access to user identifiable information.
      Location Enter relevant address details in the respective fields.
    2. Enter the Administrative Account details in the following fields and select Next.
      Note: The Next button is activated only when you enter all the mandatory details.
      Figure 3. Configure Administrative Account

       

      Table 5. Administrative Account Option Descriptions
      Option Description
      Username Enter the username in the This email address is being protected from spambots. You need JavaScript enabled to view it. format.
      Password Enter a password for the Administrator.
      Note: Starting from the 4.5 release, the use of the special character "<" in the password is no longer supported. In cases where users have already used "<" in their passwords in previous releases, they must remove it to save any changes on the page.
      Confirm Password Re-enter the password.
      First Name Enter the first name.
      Last Name Enter the last name.
      Phone Enter a valid phone number.
      Mobile Phone Enter a valid mobile number.
      Contact Email Enter the email address. The alerts on service status are sent to this email address.
    3. Under Global Settings, configure the Services as per your requirement:
      Figure 4. Configure Services

       

      Table 6. Services Option Descriptions
      Option Description
      Domain Enter the domain name to be used to enable Single Sign On (SSO) authentication for the Orchestrator. This is also required to activate Edge Network Intelligence for the Customer.
      Gateway Pool Select an existing Gateway pool from the drop-down list. For additional information, see Manage Gateway Pools.
      Feature Access You can select either Role Customization or Premium Service, or both the check boxes.
      Allow Customer to Manage Software Select the check box if you want to allow an Enterprise Super User to manage the software images available for the Enterprise. Once selected, the Software Image filed is displayed. Select Add and in the Select Software/Firmware Images pop-up window, select and assign the software/firmware images from the available list for the Enterprise. Select Done to add the selected images to the Software Image list.
      Note: You can remove an assigned image from an Enterprise, only if the image is not currently used by any Edge within the Enterprise.
      Operator Profile Select an Operator profile to be associated with the Customer from the available drop-down list. This field is not available if Allow Customer to Manage Software is selected. For additional information on Operator profiles, see the "Manage Operator Profiles" section in the Arista VeloCloud SD-WAN Operator Guide.
      Service Access: This option is available above the global settings. You can choose the services that the Customer can access along with the roles and permissions available for the selected service.
      Note: This option is available only when the system property session.options.enableServiceLicenses is set as True.
    4. The SD-WAN service allows you to configure the following options:
      Table 7. SD-WAN Service Option Descriptions
      Option Description
      Default Edge Authentication Choose the default option to authenticate the Edges associated with the Customer, from the drop-down list.
      • Certificate Deactivated: Edge uses a pre-shared key mode of authentication.
      • Certificate Acquire: This option is selected by default and instructs the Edge to acquire a certificate from the certificate authority of the Orchestrator, by generating a key pair and sending a certificate signing request to the Orchestrator. Once acquired, the Edge uses the certificate for authentication to the Orchestrator and for establishment of VCMP tunnels.
        Note: After acquiring the certificate, the option can be updated to Certificate Required.
      • Certificate Required: Edge uses the PKI certificate. Operators can change the certificate renewal time window for Edges using the system property edge.certificate.renewal.window.
      Edge Licensing Select Add and in the Select Edge Licenses pop-up window, select and assign the Edge licenses from the available list for the Enterprise.
      Note: The license types can be used on multiple Edges. It is recommended to provide your customers with access to all types of licenses to match their edition and region. For additional information, see Edge Licensing.
    5. Multi Cloud Service: You can select this service only when SD-WAN is selected.
  5. After entering all the details, select the Add Customer button. If you want to add another customer, you can select the Add another Customer check box before selecting Add Customer. The new Customer name is displayed on the Customers page. You can select the Customer name to navigate to the Enterprise portal and add configurations to the Customer.

Clone a Partner Customer

You can clone the configurations from an existing Partner customer and create a new Partner customer with the cloned settings.
Note: Only Partner Super Users and Partner Standard Admins can clone a Partner customer.
By default, the following configurations are cloned from the selected customer:
  • Enterprise configuration profiles
  • Enterprise network services and objects like:
    • DNS services
    • Private network names
    • Network Segments
  • Edge authentication scheme
  • Address groups and Port groups
Note: Distributed Cost Calculation is not copied to the cloned Enterprise.
You cannot clone an Enterprise if it consists of the following:
  • Profile with Edge references like hubs, clusters, and so on
  • Profile containing Partner Gateway References
  • Cloud Security Service enabled
  • Non SD-WAN Destinations
  • VNF or VNF licenses
  • Authentication services
  • NetFlow objects like collectors or filters
  1. Login to the Orchestrator as a Partner and navigate to Manage Customers.
  2. On the Manage Customers page, select the customer you want to clone, and then select Clone .
    The Clone Customer page appears.
    Figure 5. Clone Customer
  3. Configure the Customer Information and Administrative Account details, and Services. For additional information, see Create New Partner Customer.
  4. Select Add Customer.
    The new customer name is displayed on the Manage Customers page. The customer is already configured with the cloned settings. You can select the customer name to navigate to the Enterprise portal and add or modify the configurations.

Configure Partner Customers

After creating a Customer, configure the feature options and settings that the Customer can access. As a Partner Super User, you can choose the settings the Partner Customer can modify.

When you create a new Customer, you are redirected to the Customer Configuration page, where you can configure the Customer settings. You can also navigate to the Configuration page by following the below steps:

  1. Login to the Orchestrator as a Partner.
  2. In the Partner portal, select a Partner Customer, and from the top header, select SD-WAN > Global Settings .
  3. From the left menu, select Customer Configuration.
    Figure 6. Customer Configuration
  4. In the Service Configuration section, under SD-WAN, select Configure to configure SD-WAN settings, and then select Update.
    Figure 7. SD-WAN Configuration

     

    Table 8. SD-WAN Configuration Option Descriptions
    Option Description
    Domain Enter the domain name to be used to activate Single Sign On (SSO) authentication for the Orchestrator. This is also required to activate Edge Intelligence for the Customer.
    Default Edge Authentication Choose the default option to authenticate the Edges associated to the Customer, from the drop-down menu.
    • Certificate Deactivated: Edge uses a pre-shared key mode of authentication.
    • Certificate Acquire: This option is selected by default and instructs the Edge to acquire a certificate from the certificate authority of the Orchestrator, by generating a key pair and sending a certificate signing request to the Orchestrator. Once acquired, the Edge uses the certificate for authentication to the Orchestrator and for establishment of VCMP tunnels.
      Note: After acquiring the certificate, the option can be updated to Certificate Required.
    • Certificate Required: Edge uses the PKI certificate. You can change the certificate renewal time window for Edges using the system property edge.certificate.renewal.window.
    Edge Licensing The existing Edge Licenses are displayed. Select Add to add or remove the licenses.
    Note: The license types can be used on multiple Edges. It is recommended to provide your Customers with access to all types of licenses to match their edition and region. For additional information, see Edge Licensing.
    Allow Customer to Manage Software Select the check box if you want to allow an Enterprise Super User to manage the software images available for the Enterprise. For additional information, see the topic Edge Image Management in the Arista VeloCloud SD-WAN Administration Guide.
    Operator Profile Select an Operator profile to be associated with the Customer from the available drop-down menu. This field is not available if Allow Customer to Manage Software is selected. For additional information on Operator profiles, see the "Manage Operator Profiles" section in the Arista VeloCloud SD-WAN Operator Guide.
    Maximum Number of Segments Enter the maximum number of segments that can be configured. The valid range is 1 to 16.The default value is 16.

     

  5. Following are the additional configuration settings available on the Customer Configuration page:
    Table 9. Additional Configuration Settings
    Option Description
    Global
    User Agreement Display Select either of the following from the drop-down menu:
    • Inherit
    • Override to Hide
    • Override to Show
    Note:
    This field is available only when the system property session.options.enableUserAgreements is set to True.
    Feature Access Provides access to the selected features. Select one or additional check boxes from the below list to activate these features for the Partner Customer:
    • Enterprise Auth: By default, only the Operator can activate or deactivate two-factor authentication for an Enterprise. When you select this check box, the Enterprise Admins can configure the two-factor authentication on their own.
    • Enable Premium Service: Provides access to the available premium services. This option is selected by default.
    • Role Customization: Allows an Enterprise Super user to customize the role privileges for other Enterprise users.
    • Route Backtracking: Allows the device to choose the best route in the order of prefix length.
    • In-product Contextual Help Panel: Provides access to the Help Panel integrated with the Orchestrator. This feature is deactivated by default. A Partner Admin must activate this option for the Partner Customers.
    • Enable Firewall Logging to Orchestrator: By default, Edges cannot send their Firewall logs to the Orchestrator. Select this check box to allow an Edge to send the Firewall logs to the Orchestrator.
    • Customizable QoE: Allows the Customer to configure the minimum and maximum latency threshold values for Voice, Video, and Transactional application categories of an Edge.
    • Enable Classic Orchestrator UI: Allows the Customer to switch from the Angular Orchestrator UI to the Classic Orchestrator UI. This option is available only when the system property session.options.enableClassicOrchestrator is set to True.
    Delegate Management To Customer Allows the Partner Customer to modify the settings of the selected property. Following two properties are always visible to the Partner Customers:
    • Enable CoS Mapping: Allows to configure CoS mapping while configuring a business policy.
    • Enable Service Rate Limiting: Allows to rate limit services in a business policy.
    Gateway Pool
    Current Gateway Pool Select the Gateway pool from the drop-down menu.
    Gateways in this Pool Displays the Gateway details in the current pool.
    Partner Hand Off Activating this option displays the Configure Hand Off section. For details, see Configure Partner Handoff.
    Security Policy
    Hash By default, there is no authentication algorithm configured for the VPN header as AES-GCM is an authenticated encryption algorithm. When you select the Turn off GCM check box, you can select one of the following as the authentication algorithm for the VPN header, from the drop-down menu:
    • SHA 1
    • SHA 256
    • SHA 384
    • SHA 512
    Encryption Select either AES 128 or AES 256 as the AES algorithm's key size to encrypt data. The default encryption algorithm mode is AES 128.
    DH Group Select the Diffie-Hellman (DH) Group algorithm to be used when exchanging a pre-shared key. The DH Group sets the strength of the algorithm in bits. The supported DH Groups are 2, 5, 14, 15, 16, 19, 20, and 21.
    Note:
    • DH Groups 19, 20, and 21 are available starting from Release 5.2.0.
    • It is recommended to use DH Group 14, which is the default value.
    PFS Select the Perfect Forward Secrecy (PFS) level for additional security. The supported PFS levels are 2, 5, 14, 15, and 16. By default, PFS is deactivated.
    Turn off GCM Select this check box to activate Hash and select an authentication algorithm for the VPN header.
    IPSec SA Lifetime Time(min) Time when Internet Security Protocol (IPSec) re-keying is initiated for Edges. The minimum IPsec lifetime is 3 minutes and maximum IPsec lifetime is 480 minutes. The default value is 480 minutes.
    Note: It is not recommended to configure low lifetime value for IPsec (less than 10 minutes), as it can cause traffic interruption in some deployments due to re-keys. The low lifetime values are for debugging purposes only.
    IKE SA Lifetime(min) Time when Internet Key Exchange (IKE) re keying is initiated for Edges. The minimum IKE lifetime is 10 minutes and maximum IKE lifetime is 1440 minutes. The default value is 1440 minutes.
    Note: It is not recommended to configure low lifetime values IKE (less than 30 minutes), as it can cause traffic interruption in some deployments due to re-keys. The low lifetime values are for debugging purposes only.
    Secure Default Route Override Select the check box so that the destination of traffic matching a secure default route (either Static Route or BGP Route) from a Partner Gateway can be overridden using Business Policy.
    Note: For instructions on how to activate secure routing on an Edge, see Configure Partner Handoff. For additional information about configuring a Network Service for Business Policy rule, refer to the "Configure Network Service for Business Policy Rule" in the VeloCloud SD-WAN Administration Guide.
    Edge Network Function Virtualization
    Edge NFV Select this option to activate the ability to deploy VNFs on Edges. After deploying one or more VNFs on Edges, you cannot deactivate this option.
    Security VNFs Select the relevant check boxes, to deploy the corresponding security VNFs on Edges.
    SD-WAN Settings
    OFC Cost Calculation Select the required check box:
    • Distributed Cost Calculation: Select this check box to delegate route cost calculation to Edges/Gateways.
      Note: This option is available only for the Edges/Gateways with version 3.4.0 and later.
    • Use NSD Policy: Select this check box to use NSD policy for route cost calculation to Edges/Gateways. This option is available only for the Edges/Gateways with version 4.2.0 and later.
    Multiple-DSCP tags per Flow Path Calculation Select the check box to include the DSCP value as part of flow look-up.
    Note: This field is available only when the system property session.options.enableFlowParametersConfig is set to True.
    Feature Access Select Stateful Firewall or Advanced Threat Protection check box to override the corresponding settings activated on the Enterprise Edge.

     

  6. Select Save Changes.
    Note: When you modify the Security Policy settings, the changes may cause interruptions to the current services. In addition, these settings may reduce overall throughput and increase the time required for VCMP tunnel setup, which may impact branch to branch dynamic tunnel setup times and recovery from Edge failure in a cluster.

Configure Partner Handoff

You can configure a Gateway to hand off to Partners. The Gateway acts as a Partner Gateway that enables you to configure the Hand off Interface, Static Routes, BGP, and other settings.

Ensure that the Gateway to be handed off is assigned with Partner Gateway Role. In the Orchestrator portal (Operator or Partner), select Gateways and select the link to an existing Gateway. In the Properties section of the selected Gateway's Overview page, you can enable the Partner Gateway role as shown in the following screenshot.

Figure 8. Configure Partner Gateway

To configure the handoff settings, perform the following steps:

  1. Log in to the Orchestrator as a Partner user.
  2. Navigate to Customers & Partners > Manage Customers .
  3. In the Manage Customers window, select the link of the desired customer.
  4. Go to Global Settings > Customer Configuration .
  5. In the Customer Configuration window, scroll down to Additional Configuration and expand the Gateway Pool area.
  6. Turn on the Partner Hand Off toggle button.
  7. In the Configure Hand Off area, configure the following fields:
    Figure 9. Configure Partner Hand Off

     

    Table 10. Partner Hand Off Option Descriptions
    Option Description
    Configure Hand Off By default, the hand off configuration is applied to all the Gateways. If you want to configure a specific Gateway, choose Per Gateway, and then select the Gateway from the drop-down list.
    Segment By default, Global Segment is selected, which means that the hand off configuration is applied to all the segments. If you want to configure a specific segment, select the segment from the drop-down menu.
    Hand Off Interface This section displays the values that are configured on the Configure BGP and BFD page.
    Customer BGP Priority Select the check box and configure the Community Mapping details.

     

  8. At the bottom of the Per Customer Hand Off – Global Segment area, select the Configure BFD & BGP link, as shown in the following image.
    Figure 10. Configure BFD and BGP Settings for Handoff Interface

    The Configure BGP and BFD screen displays.

    Figure 11. Configure BGP and BFD
  9. Open the General & Hand Off Tag section and turn the BGP option to the On position.
    Figure 12. General & Hand Off Tag Settings
  10. Scroll down to the BGP section and select the arrow to display the BGP section and configure the following settings:
    Table 11. BGP Partner Hand Off Option Descriptions
    Option Description
    Hand Off Tag
    Tag Type Choose the tag type, which is the encapsulation, in which the Gateway hands off customer traffic to the Router. The following are the types of tags available:
    • None: Untagged. Choose this during single tenant hand off or a hand off towards shared services VRF.
    • 802.1Q: Single VLAN tag
    • 802.1ad / QinQ(0x8100) / QinQ(0x9100): Dual VLAN tag
    Customer ASN Enter the Customer Autonomous System Number.
    Hand Off Interface: You can configure the following settings for IPv4 and IPv6.
    Local IP Address Enter the Local IP address for the logical Hand Off interface.
    Use for Private Tunnels Select the check box so that private WAN links connect to the private IP address of the Partner Gateway. If private WAN connectivity is activated on a Gateway, the Orchestrator audits to ensure that the local IP address is unique for each Gateway within an Enterprise.
    Advertise Local IP Address via BGP Select the check box to automatically advertise the private WAN IP of the Partner Gateway through BGP. The connectivity is provided using the existing Local IP address.
    Static Routes: You can add, delete, or clone a static route.
    Subnets Enter the IP address of the Static Route Subnet that the Gateway should advertise to the Edge.
    Cost Enter the cost to apply weightage on the routes. The range is from 0 to 255.
    Encrypt Select the check box to encrypt the traffic between Edge and Gateway.
    Hand off Select the hand off type as either VLAN or NAT.
    Description Enter a descriptive text for the static route. This field is optional.
    BFD: Turn the toggle button to On to activate this section.
    Peer Address Enter the IP address of the remote peer to initiate a BFD session.
    Detect Multiplier Enter the detection time multiplier. The remote transmission interval is multiplied by this value to determine the detection timer for connection loss. The range is from 3 to 50.
    Receive Interval Enter the minimum time interval, in milliseconds, at which the system can receive the control packets from the BFD peer. The range is from 300 to 60000 milliseconds.
    Local Address Enter a locally configured IP address for the peer listener. This address is used to send the packets.
    Transmit Interval Enter the minimum time interval, in milliseconds, at which the system can send the control packets from the BFD peer. The range is from 300 to 60000 milliseconds.
    BGP: Turn the toggle button to On to activate this section.
    Neighbor IP Enter the IP address of the configured BGP neighbor network.
    Secure BGP Routes Select the check box to allow encryption for data-forwarding over BGP routes.
    Max-hop Enter the number of maximum hops to allow multi-hop for the BGP peers. The range for Max-hop is from 1 to 255, and the default value is 1.
    Note: This field is available only for eBGP neighbors, when the local ASN and the neighboring ASN are different.
    Next Hop IP Enter the next-hop IP address to be used by BGP to reach the multi-hop BGP peer.
    Note: This option is available only for multi-hop eBGP with Max-hop count greater than 1.
    Neighbor-ASN Enter the Autonomous System Number of the Neighbor network.
    BGP Local IP Local IP address is the equivalent of a loopback IP address. Enter an IP address that the BGP neighborships can use as the source IP address for the outgoing BGP packets.
    Note: The BGP Local IP address must be from a different subnet than a handoff IP address.

    If you do not enter any value, the IP address of the Hand Off Interface is used as the source IP address.
    BGP Filter List Configure BGP filters.
    BGP Inbound Filters Assign filter to inbound.
    BGP Outbound Filters Assign filter to outbound.
    BGP Optional Settings
    BFD Select the check box to subscribe to the BFD session.
    Router-ID Enter the Router ID to identify the BGP Router.
    Keep Alive Enter the BGP Keep Alive time in seconds. The default timer is 60 seconds.
    Hold Timers Enter the BGP Hold time in seconds. The default timer is 180 seconds.
    Turn off AS-PATH Carry Over Select the check box to turn off AS-PATH carry over, which influences the outbound AS-PATH to make the L3-routers prefer a path towards a PE. If you select this option, ensure to tune your network to avoid routing loops. It is recommended not to select this check box.
    MD5 Auth Select the check box to activate BGP MD5 authentication. This option is used in a legacy network or federal network, and is used as a security guard for BGP peering.
    MD5 Password Enter a password for MD5 authentication.
    Note: Starting from the 4.5 release, the use of the special character "<" in the password is no longer supported. In cases where users have already used "<" in their passwords in previous releases, they must remove it to save any changes on the page.

     

  11. If applicable, configure Route Summarization.
    1. Scroll down to the Route Summarization area in the BGP section.
      Figure 13. Configure Route Summarization
    2. Configure the Route Summarization fields, as described in the following table:
      Table 12. Route Summarization Option Descriptions
      Option Description
      +Add Select +Add to add a new row in the Route Summarization area.
      Note: To add additional rows to configure Route Summarization, select +Add. To Clone or Delete a route summarization, use the appropriate buttons, located next to +Add.
      Subnet column Under the Subnet column, enter the IP subnet.
      AS Set column Generate AS set path information from the summarized routes (while advertising the summarized route to the peer). Under the AS Set column, select the Yes check box if applicable.
      Summary Only column Under the Summary Only column, select the Yes check box to allow only the summarized route to be sent.
      For an overview, use case, and black hole routing details for Route Summarization, see the section titled, Route Summarization in the Arista VeloCloud SD-WAN Administration Guide.
    3. Select Update to save the settings.