Configuration for Route-Based NSD Via Edge

This section provides a brief overview and detailed procedures to configure route-based NSD via Edge to the VMware Cloud AWS Gateway.

Route-Based NSD Via Edge to the VMware Cloud AWS Gateway Overview

The example topology illustrates the Integration of Arista VeloCloud SD-WAN and VMware Cloud on AWS, which uses IPSec connectivity between the VeloCloud Edge and the VMware Cloud Gateway.

Figure 1. Integration of Arista VeloCloud SD-WAN and VMware Cloud on AWS

This section provides step-by-step procedures on how to achieve connectivity between an SDWAN Edge and a VMware Cloud Gateway.

  1. Log into the VMware Cloud Console based on the URL for your SDDC organization (The VMware Cloud Services Login Page). On the Cloud Services Platform, select VMware Cloud on AWS.
  2. Find Public IP used for VPN connectivity by selecting the Networking and Security tab. The VPN Public IP displays below the Overview pane.
    Figure 2. Overview Pane
  3. Determine the networks/subnets for traffic encryption selection (interesting traffic) and note them down. These should originate from Segments in Networking/Security in the VMware Cloud. (Locate this by selecting Segments, under Network.
  4. Log into the SD-WAN Orchestrator and verify that the Edges are present with a green status icon displayed next to them.
    Figure 3. Network Overview
  5. Go to the Configure tab and select Network Services, and then under Non SD-WAN Destination via Edge, select the New button.
    Figure 4. Network Services
  6. Provide a name for the Non SD-WAN Destination via Edge, select the type, in this case, Generic IKEv2 Router(Route Based VPN), and select Next
    Figure 5. Service name and Type
  7. Select the Advanced button and provide below details.
    1. Enter the Public IP of the VMC obtained in Step 2.
    2. Ensure encryption set to AES 128.
    3. Change DH group to 2.
    4. Enable PFS to 2.
    5. Auth Algorithm set to SHA 1.
    6. Subnets will be learned via BGP, (if BGP is not configured then add site subnets which captured at step 3, e.g. static route).
    7. Select Save Changes.
      Figure 6. Non SD-WAN Destinations via Edge
  8. On the left pane, select Configure > Edges .
    Figure 7. Monitor Edges
  9. Go to the device setting page of Edge in which NSD will be associated.
  10. Under the device setting of Edge complete the following steps.
    1. Under Cloud VPN and Branch to Non SD-WAN Destination via Edge, select the check box next to Enable.
    2. In the drop-down menu, select the NSD via Edge.
      Figure 8. NSD via Edge
  11. Select the Add button and update the following fields below (see image below).
    1. Select the Edge WAN link from where NSD tunnel to form.
    2. Local ID type – IP address.
    3. Local id will be public IP of WAN link.
    4. Enter the PSK.
    5. Destination primary Public IP – VMC Gateway Public IP.
      Figure 9. Add Tunnel
  12. Activate BGP settings for an Edge, as shown in the image below.
    Figure 10. BGP Settings
  13. Select the Edit button and update BGP parameters for NSD neighbour.
    1. Select configured NSD name.
    2. Edge WAN link where NSD is associated.
    3. Configure Local ASN 65001.
    4. Neighbour IP – 169.254.32.2.
    5. Peer ASN – 65000 (VMC default ASN is 65000).
    6. Local IP – 169.254.32.1 NOTE: It is recommended to use a /30 CIDR from 169.254.0.0/16 subnet excluding following VMC reserved addresses- 169.254.0.0-169.254.31.255, 169.254.101.0-169.254.101.3
      Figure 11. BGP Editor
  14. The tunnel should be ready on the SD-WAN Orchestrator with BGP over IPSec.
  15. Log into the VMware Cloud Console.
  16. Navigate to Networking and Security and select the VPN tab. In the VPN area, select Route Based VPN, and select Add VPN.
    Figure 12. VMC-SD-WAN
  17. Provide a name for the Route Based VPN and configure the following.
    1. Choose a name. (Choose a name that starts with To_SDWAN_EDGE, so the VPN can be easily identified during troubleshooting and future support).
    2. Select the Public IP.
    3. Enter the remote Public IP. (Edge WAN link Public IP).
    4. Enter the remote Private IP – it should same as section 11c.
    5. Specify the BGP local ip.
    6. Specify the BGP remote IP.
    7. Under Tunnel Encryption, select AES 128.
    8. Under Tunnel Digest Algorithm, select SHA1.
    9. Make sure Perfect Forward Secrecy is set to Enabled.
    10. Enter the PSK, to match Step 12d.
    11. Under IKE Encryption, select AES 128.
    12. Under IKE Digest Algorithm, select SHA 1.
    13. Under IKE Type, select IKEv2.
    14. Under Diffie Hellman, select Group 2.
    15. Select Save.
      Figure 13. Network and Security
  18. Once the configuration is complete, the tunnel is automatically activated and will proceed to negotiate the IKE Phase 1 and Phase 2 parameters with the peer, which is the VeloCloud EDGE.
    Figure 14. Route Based VPN
  19. Once the tunnel displays (green), verify that the NSD via Edge tunnel/BGP status in the SD-WAN Orchestrator (go to Monitor > Network Services ).
    Figure 15. Network Services
    Figure 16. BGP Edge Neighbor State
  20. Start a ping from a client connected at each end towards the opposite client, and verify ping reachability. The tunnel configuration has been completed and verified.
    Figure 17. Ping Verification
    Figure 18. Verified Status