Manage Partner Customers

The Manage Partner Customers option allows you to create new Customers, configure the Customer capabilities, clone the existing configuration, and configure other Customer settings. As a Partner Super User, you can select the settings that the Partner Customer can modify.

  1. Login to the Orchestrator as a Partner. In the Partner portal, go to Customers & Partners > Manage Partners and from the Manage Partners page, click on a Partner.
  2. Select Manage Partner Customers. The Manage Customers page appears.
    Note: You can also navigate to this page from the Operator portal, by clicking the link under the Partner column of a corresponding Customer. However, a Partner user does not have the same privileges as that of an Operator.
    Figure 1. Managing Customers
    You can perform the following actions:
    Table 1. Customer Option Descriptions
    Option Description
    Search Enter a search term to search for the matching text across the table. Use the advanced search option to narrow down the search results.
    New Customer Click this option to add a new Customer. For more information, see Create New Partner Customer.
    Clone Clones the existing configurations of the selected Customer. You can select any of the additional clone attributes. For more information see, Clone Partner Customer.
    Delete Deletes the selected Customers. Enter the number of selected Customers in the pop-up window and click Delete.
    Note: Ensure that you have removed all the Edges associated with the selected Customer, before deleting the Customer.
    Edit Customer System Settings Allows you to edit the system settings for the customer. For more information, see the " Enterprise Settings" section in the VeloCloud SD-WAN Administration Guide.
    Stage to Bastion Click to stage a Customer to the Bastion Orchestrator.
    Note: Stage to Bastion and Unstage from Bastion options are available only when the Bastion Orchestrator feature is activated using the session.options.enableBastionOrchestrator system property.

    For additional information, see Bastion Orchestrator Configuration Guide.

  3. Select More to perform the following actions:
    Table 2. Additional Option Descriptions
    Option Description
    Unstage from Bastion Removes a Customer from the Bastion Orchestrator.
    Edit Customer Edge Management Allows to edit the Edge Management feature for the selected Customers.
    Release from Partner Releases the selected Customer from the Partner.
    Send Support Email Sends customer support messages to the selected Customer.
    Assign Operator Profile Adds an Operator Profile for the selected Customers.
    Note: This option is available only for an Enterprise with an activated Edge Image Management feature.
    Update Edge Image Management Activates or deactivates the Edge Image Management feature for the selected customers.
    Update Operator Alerts Activates or deactivates the Operator alerts for the selected Customers.
    Update Customer Alerts Activates or deactivates the Customer alerts for the selected Customers.
    Export All Customers Exports the details of all the Customers in the Operator portal to a CSV file. The default separator used is comma (,) and you can choose to replace the separator with any other special character.
    Export Customers Edge Inventory Exports the inventory details of all the Edges associated with all the Customers to a CSV file. The default separator used is a comma (,).
  4. The following are the other options available in the Manage Customers area:
    Table 3. Manage Customers
    Option Description
    Columns Click this option and select the checkboxes to view the required columns.
    Refresh Click this option to refresh the page.

Creating a New Partner Customer

In the Partner portal of the Orchestrator, you can create new Customers and configure the Customer settings. You can temporarily deactivate creating new Customers, by setting the system property session.options.disableCreateEnterpriseProxy to True. You can use this option when Orchestrator exceeds the usage capacity.

  1. Log into the Orchestrator as a Partner.
  2. In the Partner portal, go to Customers & Partners > Manage Partners and from the Manage Partners page, select a Partner.
  3. Select Manage Partner Customers. In the Manage Customers page appears, select New Customer. The New Customer page displays.
    Figure 2. Customer Information
  4. Enter the details in the following fields and select Next.
    Note: The Next button activates only after you enter all of the mandatory details.
    Table 4. New Customer Option Descriptions
    Option Description
    Company Name Enter your company name.
    Account Number Enter a unique identifier for the Customer.
    New Partner Support Access Select to allow the new Partner to view, configure, and troubleshoot the Customer's Edges.
    SASE Support Access Selected by default, and grants access to Arista Support to view, configure, and troubleshoot the Edges connected to the Customer.

    For security reasons, the Support cannot access or view the user identifiable information.
    SASE User Management Access Select the checkbox to allow the Arista Support to assist in User Management. User Management includes options to create users, reset password, and configure other settings. In this case, the Support has access to user identifiable information.
    Location Enter relevant address details in the respective fields.
  5. In the Administrative Account section:
    Figure 3. Administrative Account
  6. Enter the details in the following fields and select Next.
    Note: The Next button activates only after you enter all of the mandatory details.
    Table 5. Administrative Account
    Option Description
    Username Enter the username in the This email address is being protected from spambots. You need JavaScript enabled to view it. format.
    Password Enter a password for the Administrator.
    Note: Starting from the 4.5 release, the use of the special character "<" in the password is no longer supported. In cases where users have already used "<" in their passwords in previous releases, they must remove it to save any changes on the page.
    Confirm Password Re-enter the password.
    First Name Enter the first name.
    Last Name Enter the last name.
    Phone Enter a valid phone number.
    Mobile Phone Enter a valid mobile number.
    Contact Email Enter the email address. The alerts on service status are sent to this email address.
  7. In the Services section,configure the following global settings:
    Figure 4. Services

     

    Table 6. Services Option Descriptions
    Option Description
    Domain Enter the domain name to be used to enable Single Sign On (SSO) authentication for the Orchestrator.
    Gateway Pool Select an existing Gateway pool from the drop-down list. For more information, see Manage Gateway Pools.
    Feature Access You can select either Role Customization or Premium Service, or both.
    Allow Customer to Manage Software Select the checkbox if you want to allow an Enterprise Super User to manage the software images available for the Enterprise. Once selected, the Software Image filed is displayed. Select Add and in the Select Software/Firmware Images pop-up window, select and assign the software/firmware images from the available list for the Enterprise. Select Done to add the selected images to the Software Image list.
    Note: You can remove an assigned image from an Enterprise, only if the image is not currently used by any Edge within the Enterprise.
    Operator Profile Select an Operator profile to be associated with the Customer from the available drop-down list. This field is not available if Allow Customer to Manage Software is selected. For more information on Operator profiles, see the "Manage Operator Profiles" section in the VeloCloud SD-WAN Operator Guide.
  8. In the Service Access section, select the services that the Customer can access along with the roles and permissions available for the selected service
    Note: This option is available only when the system property session.options.enableServiceLicenses is set as True.
  9. SD-WAN- When you select this service, the following options are available:
    Table 7. Service Access Option Descriptions
    Option Description
    Default Edge Authentication Choose the default option to authenticate the Edges associated with the Customer, from the drop-down list.
    • Certificate Deactivated: Edge uses a pre-shared key mode of authentication.
    • Certificate Acquire: This option is selected by default and instructs the Edge to acquire a certificate from the certificate authority of the Orchestrator, by generating a key pair and sending a certificate signing request to the Orchestrator. Once acquired, the Edge uses the certificate for authentication to the Orchestrator and for establishment of VCMP tunnels.
      Note: After acquiring the certificate, the option can be updated to Certificate Required.
    • Certificate Required: Edge uses the PKI certificate. Operators can change the certificate renewal time window for Edges using the system property edge.certificate.renewal.window.
    Edge Licensing Select Add and in the Select Edge Licenses pop-up window, select and assign the Edge licenses from the available list for the Enterprise.
    Note: The license types can be used on multiple Edges. It is recommended to provide your customers with access to all types of licenses to match their edition and region. For more information, see Edge Licensing.
  10. After entering all the details, select Add Customer. If you want to add another customer, you can select Add another Customer before selecting Add Customer. The new Customer name displays on the Customers page. You can select the Customer name to navigate to the Enterprise portal and add configurations to the Customer.

Clone a Partner Customer

Clone the configurations from an existing Partner customer and create a new Partner customer with the cloned settings.

Only Partner Super Users and Partner Standard Admins can clone a Partner customer.

By default, the following configurations clone from the selected customer:
  • Enterprise configuration profiles
  • Enterprise network services and objects such as:
    • DNS services
    • Private network names
    • Network Segments
  • Edge authentication scheme
  • Address groups and Port groups
Note: Distributed Cost Calculation does not copy to the cloned Enterprise.
You cannot clone an Enterprise if it consists of the following:
  • A profile with Edge references like hubs, clusters, and so on
  • A profile containing Partner Gateway References
  • Has Cloud Security Service enabled
  • Contains Non SD-WAN Destinations
  • Has VNF or VNF licenses
  • Configured with authentication services
  • Contains NetFlow objects like collectors or filters

Login to the Orchestrator as a Partner and navigate to Manage Customers.

  1. In the Manage Customers page, select the customer you want to clone, and then select Clone . The Clone Customer page appears.
Figure 5. Cloning a Customer
  1. Configure the Customer Information and Administrative Account details, and Services.
    For more information, see Create New Partner Customer.
  2. Select Add Customer. The new customer name is displayed in the Manage Customers page.
    The customer is already configured with the cloned settings. You can select the customer name to navigate to the Enterprise portal and add or modify the configurations.

Configure Partner Customers

After creating a Customer, configure the feature options and settings that the Customer can access. As a Partner Super User, you can choose the settings the Partner Customer can modify.

When you create a new Customer, you are redirected to the Customer Configuration page, where you can configure the Customer settings. You can also navigate to the Configuration page by following the below steps:

  1. Log into the Orchestrator as a Partner.
  2. In the Partner portal, select a Partner Customer, and select SD-WAN > Global Settings .
  3. From the left menu, select Customer Configuration. The following page displays:
    Figure 6. Customer Configuration
  4. The Service Configuration section includes the SD-WAN service. Select Turn On to activate the service. Select the vertical ellipsis present at the top right corner of each tile to turn off or configure the service. You can also use the Configure option present at the bottom right corner of the tile to configure the service. The tile displays the configuration summary.
    Note: When you select Turn off, a pop-up window appears asking for your confirmation. Select it, then select Turn Off Service.
  5. Selecting the Configure option displays the following window. Configure the settings, and then select Update.
    Figure 7. Configuring SD-WAN
    Table 8. Configuring SD-WAN Option Descriptions
    Option Description
    Domain Enter the domain name to be used to activate Single Sign On (SSO) authentication for the Orchestrator.
    Default Edge Authentication Choose the default option to authenticate the Edges associated to the Customer, from the drop-down menu.
    • Certificate Deactivated: Edge uses a pre-shared key mode of authentication.
    • Certificate Acquire: This option is selected by default and instructs the Edge to acquire a certificate from the certificate authority of the Orchestrator, by generating a key pair and sending a certificate signing request to the Orchestrator. Once acquired, the Edge uses the certificate for authentication to the Orchestrator and for establishment of VCMP tunnels.
      Note: After acquiring the certificate, the option can be updated to Certificate Required.
    • Certificate Required: Edge uses the PKI certificate. You can change the certificate renewal time window for Edges using the system property edge.certificate.renewal.window.
    Edge Licensing Displays the existing Edge Licenses. Select Add to add or remove the licenses.
    Note: The license types can be used on multiple Edges. It is recommended to provide your Customers with access to all types of licenses to match their edition and region. For more information, see Edge Licensing.
    Allow Customer to Manage Software Select the check box if you want to allow an Enterprise Super User to manage the software images available for the Enterprise. For more information, see the topic Edge Image Management in the VeloCloud SD-WAN Administration Guide.
    Operator Profile Select an Operator profile to be associated with the Customer from the available drop-down menu. This field is not available if Allow Customer to Manage Software is selected. For more information on Operator profiles, see the "Manage Operator Profiles" section in the VeloCloud SD-WAN Operator Guide.
    Maximum Number of Segments Enter the maximum number of segments that can be configured. The valid range is 1 to 16.The default value is 16.

    Configure the following additional settings on the Customer Configuration page:

     
    Option Description
    Global
    User Agreement Display Select either of the following from the drop-down menu:
    • Inherit
    • Override to Hide
    • Override to Show
    Note:
    This field is available only when the system property session.options.enableUserAgreements is set to True.
    Feature Access Provides access to the selected features. Select one or more check boxes from the below list to activate these features for the Partner Customer:
    • Enterprise Auth- By default, only the Operator can activate or deactivate two-factor authentication for an Enterprise. When you select this check box, the Enterprise Admins can configure the two-factor authentication on their own.
    • Enable Premium Service- Provides access to the available premium services. This option is selected by default.
    • Role Customization- Allows an Enterprise Super user to customize the role privileges for other Enterprise users.
    • Route Backtracking- Allows the device to choose the best route in the order of prefix length.
    • In-product Contextual Help Panel- Provides access to the Help Panel integrated with the Orchestrator. This feature is deactivated by default. A Partner Admin must activate this option for the Partner Customers.
    • Enable Firewall Logging to Orchestrator- By default, Edges cannot send their Firewall logs to the Orchestrator. Select this check box to allow an Edge to send the Firewall logs to the Orchestrator.
    • Customizable QoE- Allows the Customer to configure the minimum and maximum latency threshold values for Voice, Video, and Transactional application categories of an Edge.
    • Enable Classic Orchestrator UI- Allows the Customer to switch from the Angular Orchestrator UI to the Classic Orchestrator UI. This option is available only when the system property session.options.enableClassicOrchestrator is set to True.
    Delegate Management To Customer Allows the Partner Customer to modify the settings of the selected property. Following two properties are always visible to the Partner Customers:
    • Enable CoS Mapping- Allows to configure CoS mapping while configuring a business policy.
    • Enable Service Rate Limiting- Allows to rate limit services in a business policy.
    Gateway Pool
    Current Gateway Pool Select the Gateway pool from the drop-down menu.
    Gateways in this Pool Displays the Gateway details in the current pool.
    Partner Hand Off Activating this option displays the Configure Hand Off section. For details, see Configure Partner Gateway Handoff to Production Orchestrator Configure Partner Handoff.
    Security Policy
    Hash By default, there is no authentication algorithm configured for the VPN header as AES-GCM is an authenticated encryption algorithm. When you select the Turn off GCM check box, you can select one of the following as the authentication algorithm for the VPN header, from the drop-down menu:
    • SHA 1
    • SHA 256
    • SHA 384
    • SHA 512
    Encryption Select either AES 128 or AES 256 as the AES algorithm's key size to encrypt data. The default encryption algorithm mode is AES 128.
    DH Group Select the Diffie-Hellman (DH) Group algorithm to be used when exchanging a pre-shared key. The DH Group sets the strength of the algorithm in bits. The supported DH Groups are 2, 5, 14, 15, 16, 19, 20, and 21.
    Note:
    • DH Groups 19, 20, and 21 are available starting from Release 5.2.0.
    • It is recommended to use DH Group 14, which is the default value.
    PFS Select the Perfect Forward Secrecy (PFS) level for additional security. The supported PFS levels are 2, 5, 14, 15, and 16. By default, PFS is deactivated.
    Turn off GCM Select this check box to activate Hash and select an authentication algorithm for the VPN header.
    IPSec SA Lifetime Time(min) Time when Internet Security Protocol (IPSec) rekeying is initiated for Edges. The minimum IPsec lifetime is 3 minutes and maximum IPsec lifetime is 480 minutes. The default value is 480 minutes.
    Note: It is not recommended to configure low lifetime value for IPsec (less than 10 minutes), as it can cause traffic interruption in some deployments due to rekeys. The low lifetime values are for debugging purposes only.
    IKE SA Lifetime(min) Time when Internet Key Exchange (IKE) rekeying is initiated for Edges. The minimum IKE lifetime is 10 minutes and maximum IKE lifetime is 1440 minutes. The default value is 1440 minutes.
    Note: It is not recommended to configure low lifetime values IKE (less than 30 minutes), as it can cause traffic interruption in some deployments due to rekeys. The low lifetime values are for debugging purposes only.
    Secure Default Route Override Select the check box so that the destination of traffic matching a secure default route (either Static Route or BGP Route) from a Partner Gateway can be overridden using Business Policy.
    Note: For instructions on how to activate secure routing on an Edge, refer to Configure Partner Gateway Handoff to Production Orchestrator Configure Partner Handoff. For more information about configuring a Network Service for Business Policy rule, refer to the "Configure Network Service for Business Policy Rule" in the VeloCloud SD-WAN Administration Guide.
    Edge Network Function Virtualization
    Edge NFV Select this option to activate the ability to deploy VNFs on Edges. After deploying one or more VNFs on Edges, you cannot deactivate this option.
    Security VNFs Select the relevant check boxes, to deploy the corresponding security VNFs on Edges.
    SD-WAN Settings
    OFC Cost Calculation Select the required check box:
    • Distributed Cost Calculation- Select this check box to delegate route cost calculation to Edges/Gateways.
      Note: This option is available only for the Edges/Gateways with version 3.4.0 and later.
    • Use NSD Policy- Select this check box to use NSD policy for route cost calculation to Edges/Gateways.
      Note: This option is available only for the Edges/Gateways with version 4.2.0 and later.
    Multiple-DSCP tags per Flow Path Calculation Select the check box to include the DSCP value as part of flow look-up.
    Note: This field is available only when the system property session.options.enableFlowParametersConfig is set to True.
    Feature Access Select Stateful Firewall or Advanced Threat Protection check box to override the corresponding settings activated on the Enterprise Edge.
  6. Select Save Changes.
    Note: When you modify the Security Policy settings, the changes may cause interruptions to the current services. In addition, these settings may reduce overall throughput and increase the time required for VCMP tunnel setup, which may impact branch to branch dynamic tunnel setup times and recovery from Edge failure in a cluster.

Configure Partner Gateway Handoff to Production Orchestrator

You can configure a Gateway to hand off to Partners. The Gateway acts as a Partner Gateway that enables you to configure the Hand off Interface, Static Routes, BGP, and other settings.

Ensure that the Gateway to handoff is assigned with Partner Gateway Role. In the Orchestrator portal (Operator or Partner), select Gateways and select the link to an existing Gateway. In the Properties section of the selected Gateway Overview page, you can enable the Partner Gateway role.

Figure 8. Configuring Partner Gateway Properties

Configuring Partner Gateway Handoff

To configure the handoff settings, perform the following steps:

  1. Log into the Orchestrator as a Partner user.
  2. Navigate to Customers & Partners > Manage Customers .
  3. In the Manage Customerswindow, select the link of the desired customer.
  4. Go to Global Settings > Customer Configuration .
  5. In the Customer Configuration window, scroll down to Additional Configuration and expand the Gateway Pool area.
  6. Enable Partner Hand Off.
  7. In the Configure Hand Off area, configure the following fields:
    Figure 9. Configuring Hand Off
    Table 9. Hand Off Option Descriptions
    Option Description
    Configure Hand Off By default, the hand off configuration is applied to all the Gateways. If you want to configure a specific Gateway, choose Per Gateway, and then select the Gateway from the drop-down list.
    Segment By default, Global Segment is selected, which means that the hand off configuration is applied to all the segments. If you want to configure a specific segment, select the segment from the drop-down menu.
    Hand Off Interface This section displays the values that are configured on the Configure BGP and BFD page.
    Customer BGP Priority Select the check box and configure the Community Mapping details.
  8. At the bottom of the Per Customer Hand Off – Global Segment area, select the Configure BFD & BGP link.
    Figure 10. Configuring BFD and BGP

    The Configure BGP and BFD screen displays.

    Figure 11. BGP and BFD Settings
  9. Open the General & Hand Off Tag section and turn the BGP option to the On position.
    Figure 12. Enabling BGP
  10. Navigate to the BGP section and select the arrow to display the BGP section.
  11. Configure the following fields:
    Table 10. BGP Option Descriptions
    Option Description
    Hand Off Tag
    Tag Type Choose the tag type, which is the encapsulation, in which the Gateway hands off customer traffic to the Router. The following are the types of tags available:
    • None: Untagged. Choose this during single tenant hand off or a hand off towards shared services VRF.
    • 802.1Q: Single VLAN tag
    • 802.1ad / QinQ(0x8100) / QinQ(0x9100): Dual VLAN tag
    Customer ASN Enter the Customer Autonomous System Number.
    Hand Off Interface: You can configure the following settings for IPv4 and IPv6.
    Local IP Address Enter the Local IP address for the logical Hand Off interface.
    Use for Private Tunnels Select the check box so that private WAN links connect to the private IP address of the Partner Gateway. If private WAN connectivity is activated on a Gateway, the Orchestrator audits to ensure that the local IP address is unique for each Gateway within an Enterprise.
    Advertise Local IP Address via BGP Select the check box to automatically advertise the private WAN IP of the Partner Gateway through BGP. The connectivity is provided using the existing Local IP address.
    Static Routes: You can add, delete, or clone a static route.
    Subnets Enter the IP address of the Static Route Subnet that the Gateway should advertise to the Edge.
    Cost Enter the cost to apply weightage on the routes. The range is from 0 to 255.
    Encrypt Select the check box to encrypt the traffic between Edge and Gateway.
    Hand off Select the hand off type as either VLAN or NAT.
    Description Enter a descriptive text for the static route. This field is optional.
    BFD: Turn the toggle button to On to activate this section.
    Peer Address Enter the IP address of the remote peer to initiate a BFD session.
    Detect Multiplier Enter the detection time multiplier. The remote transmission interval is multiplied by this value to determine the detection timer for connection loss. The range is from 3 to 50.
    Receive Interval Enter the minimum time interval, in milliseconds, at which the system can receive the control packets from the BFD peer. The range is from 300 to 60000 milliseconds.
    Local Address Enter a locally configured IP address for the peer listener. This address is used to send the packets.
    Transmit Interval Enter the minimum time interval, in milliseconds, at which the system can send the control packets from the BFD peer. The range is from 300 to 60000 milliseconds.
    BGP: Turn the toggle button to On to activate this section.
    Neighbor IP Enter the IP address of the configured BGP neighbor network.
    Secure BGP Routes Select the check box to allow encryption for data-forwarding over BGP routes.
    Max-hop Enter the number of maximum hops to allow multi-hop for the BGP peers. The range for Max-hop is from 1 to 255, and the default value is 1.
    Note: This field is available only for eBGP neighbors, when the local ASN and the neighboring ASN are different.
    Next Hop IP Enter the next-hop IP address to be used by BGP to reach the multi-hop BGP peer.
    Note: This option is available only for multi-hop eBGP with Max-hop count greater than 1.
    Neighbor-ASN Enter the Autonomous System Number of the Neighbor network.
    BGP Local IP Local IP address is the equivalent of a loopback IP address. Enter an IP address that the BGP neighborships can use as the source IP address for the outgoing BGP packets.
    Note: The BGP Local IP address must be from a different subnet than a handoff IP address.

    If you do not enter any value, the IP address of the Hand Off Interface is used as the source IP address.
    BGP Filter List Configure BGP filters.
    BGP Inbound Filters Assign filter to inbound.
    BGP Outbound Filters Assign filter to outbound.
    BGP Optional Settings
    BFD Select the check box to subscribe to the BFD session.
    Router-ID Enter the Router ID to identify the BGP Router.
    Keep Alive Enter the BGP Keep Alive time in seconds. The default timer is 60 seconds.
    Hold Timers Enter the BGP Hold time in seconds. The default timer is 180 seconds.
    Turn off AS-PATH Carry Over Select the check box to turn off AS-PATH carry over, which influences the outbound AS-PATH to make the L3-routers prefer a path towards a PE. If you select this option, ensure to tune your network to avoid routing loops. It is recommended not to select this check box.
    MD5 Auth Select the check box to activate BGP MD5 authentication. This option is used in a legacy network or federal network, and is used as a security guard for BGP peering.
    MD5 Password Enter a password for MD5 authentication.
    Note: Starting from the 4.5 release, the use of the special character "<" in the password is no longer supported. In cases where users have already used "<" in their passwords in previous releases, they must remove it to save any changes on the page.
    Note: Route Summarization is new for the 5.2 release. For an overview, use case, and black hole routing details for Route Summarization, see the section titled, Route Summarization in the VeloCloud SD-WAN Administration Guide.
Configuring Route Summarization
  1. Scroll down to the Route Summarization area in the BGP section.
    Figure 13. Route Summarization
  2. Configure the Route Summarization fields, as described in the table below:
    Table 11. Route Summarization Option Descriptions
    Option Description
    +Add Select +Add to add a new row in the Route Summarization area.
    Note: To add additional rows to configure Route Summarization, select +Add. To Clone or Delete a route summarization, use the appropriate buttons, located next to +Add.
    Subnet column Under the Subnet column, enter the IP subnet.
    AS Set column Generate AS set path information from the summarized routes (while advertising the summarized route to the peer). Under the AS Set column, select the Yes check box if applicable.
    Summary Only column Under the Summary Only column, select the Yes check box to allow only the summarized route to be sent.
  3. Select Update to save the settings.