This section provides an overview of configuring SD-WAN Edge in a two-arm configuration.
To configure the SD-WAN Edge in a two-arm configuration:
- Configure and activate Hub 1
- Configure and activate the Silver 1 site
- Enable branch-to-hub tunnel (Silver 1 to Hub 1)
- Configure and activate Bronze 1 site
- Configure and activate Hub 2
- Configure and activate Silver 2 site
The following sections describe the steps in more detail.
Configure and Activate Hub 1
This step helps you understand the typical workflow of how to bring up SD-WAN Edge at the hub location. SD-WAN Edge is deployed with two interfaces (one interface for each WAN link).
You will use the Virtual Edge as a hub. Below is an example of the wiring and IP address information.
Configure and Activate Hub 1 SD-WAN Edge to Reach the Internet
Because this is the data center/hub site, it is unlikely that the SD-WAN Edge can get its WAN IP using DHCP. Thus, you will need to first enable the SD-WAN Edge to connect to the Internet through the data center firewall so that SD-WAN Edge can be activated.
- Configure a PC with a static IP 192.168.2.100/24 and gateway 192.168.2.1 which is the default LAN setting for accessing a SD-WAN Edge. Connect the PC to the SD-WAN Edge LAN interface.
- From the PC, browse to http://192.168.2.1 (the local Web interface of the SD-WAN Edge). Click the link review the configuration.
- Configure the GE2 static WAN IP and default gateway of the SD-WAN Edge so that it can reach the Internet.
Click Save and provide login/password of admin/admin.
Typically at the data center/hub site, the static IP address will be assigned to you and the enterprise IT admin will configure the firewall to translate the SD-WAN Edge WAN IP to a Public IP and also filter the appropriate traffic (outbound: TCP/443, inbound: UDP/2426, UDP/500, UDP/4500).
- At this point, the Internet status should show Connected.
After configuration of the SD-WAN Edge static WAN IP address and associated firewall configuration is complete, the SD-WAN Edge Internet status shows "Connected".
Enable the Virtual SD-WAN Edge in Default Profile
- Login to the SD-WAN Orchestrator.
- The default VPN profile allows the activation of the SD-WAN Edge 500.
Activate Hub 1 SD-WAN Edge
- Go to Configure > Edges and add a new SD-WAN Edge. Specify the correct model and the profile (we use the Quick Start VPN Profile).
- Go to the hub SD-WAN Edge (DC1-VCE) and follow the normal activation process. If you already have the email feature set up, an activation email will be sent to that email address. Otherwise, you can go to the device setting page to get the activation URL.
- Copy the activation URL and paste that to the browser on the PC connected to the SD-WAN Edge or just click on the activation URL from the PC browser.
- Click on Activate button.
- Now the DC1-VCE data center hub should be up. Go to Monitor > Edges. Click the Edge Overview tab. The public WAN link capacity is detected along with the correct public IP 220.127.116.11 and ISP.
- Go to Configure > Edges and select DC1-VCE. Go to the Device tab and scroll down to the Interface Settings.
You will see that the registration process notifies the SD-WAN Orchestrator of the static WAN IP address and gateway that was configured through the local UI. The configuration on the VMware will be updated accordingly.
- Scroll down to the WAN Settings section. The Link Type should be automatically identified as Public Wired.
Configure the Private WAN Link on Hub 1 SD-WAN Edge
- Configure the private MPLS Edge WAN interface directly from the SD-WAN Orchestrator. Go to Configure -> Edges and choose DC1-VCE. Go to the Device tab and scroll down to the Interface Settings section. Configure static IP on GE3 as 172.31.2.1/24 and default gateway of 172.31.2.2. Under WAN Overlay, select User Defined Overlay. This will allow us to define a WAN link manually in the next step.
- Under WAN Settings, click the Add User Defined WAN Overlay button (see the following screen capture).
- Define the WAN overlay for the MPLS path. Select the Link Type as Private and specify the next-hop IP (172.31.2.2) of the WAN link in the IP Address field. Choose the GE3 as the interface. Click the Advanced button.
Tip: The hub site normally has more bandwidth than the branches. If we choose the bandwidth to be auto-discovered, the hub site will run a bandwidth test with its first peer, e.g. the first branch that comes up, and will end up discovering an incorrect WAN bandwidth. For the hub site, you should always define the WAN bandwidth manually, and that is done in the advanced settings.
- The private WAN bandwidth is specified in advanced settings. The screen shot below shows an example of 5 Mbps upstream and downstream bandwidth for a symmetric MPLS link at the hub.
- Validate that the WAN link is configured and save the changes.
You are done with configuring the SD-WAN Edge on the hub. You will not see the User Defined MPLS overlay that you just added until you enable a branch SD-WAN Edge.
(Optional) Configure the LAN Interface with Management IP
- Go to Configure > Edges and select DC1-VCE.
- Navigate to the Device tab and scroll down to the VLAN Settings section.
- Click Edit and configure the IP address of the interface.
Configure Static Route to LAN Network Behind L3 Switch
Add a static route to the 172.30.0.0/24 subnet through the L3 switch. You need to specify the interface GE3 to use for routing to the next hop. Make sure you enable the Advertise checkbox so other SD-WAN Edges can learn about this subnet behind L3 switch (see the following screen capture).
Configure and Activate Silver 1 Site
This step helps you understand the typical workflow of how to insert the SD-WAN Edge at a Silver site. The SD-WAN Edge is inserted off-path and relies on the L3 switch to redirect traffic to it. Below is an example of the wiring and IP address information.
Activate the Silver 1 Site Branch SD-WAN Edge
In this example, we assume that the SD-WAN Edge gets its public IP address using DHCP, so there is no configuration required. SD-WAN Edge ships with default configuration to use DHCP on all routed interfaces.
- Create a new Edge SILVER1-DCEand select the appropriate Model and configuration profile (see image below).
- Activate this SD-WAN Edge by connecting a PC to its LAN or Wi-Fi.
- The SD-WAN Edge should now be active in the SD-WAN Orchestrator with one public link. We can now configure the private WAN link.
Configure the Private WAN Link on the Silver 1 Site SD-WAN Edge
At this point, we need to build the IP connectivity from the SD-WAN Edge towards the L3 switch.
- Go to Configure > Edges, select the SILVER1-VCE and go to the Device tab and scroll down to the Interface Settings section. Configure static IP on GE3 as 10.12.1.1/24 and default gateway of 10.12.1.2. Under WAN Overlay, select User Defined Overlay. This will allow us to define a WAN link manually in the next step.
- Under the WAN Settings section, click Add User Defined WAN Overlay.
- Define the WAN overlay for the MPLS path. Select the Link Type as Private. Specify the next-hop IP (10.12.1.2) of the WAN link in the IP Address field. Choose the GE3 as the Interface. Click the Advanced button. Tip: Since the hub has already been set up, it is OK to auto-discover the bandwidth. This branch will run a bandwidth test with the hub to discover its link bandwidth.
- Set the Bandwidth Measurement to Measure Bandwidth. This will cause the branch SD-WAN Edge to run a bandwidth test with the hub SD-WAN Edge just like what happens when it connects to the SD-WAN Gateway.
- Validate that the WAN link is configured and save the changes (see the following screen capture).
(Optional) Configure the LAN Interface with Management IP
- Go to Configure > Edges, select SILVER1-VCE. Navigate to the Device tab and scroll down to the VLAN Settings section. Click Edit. Configure the IP address of the LAN and Management interfaces.
Configure Static Route to LAN Network Behind L3 Switch
Enable Branch to Hub Tunnel (Silver 1 to Hub 1)
This step helps you build the overlay tunnel from the branch into hub. Note that at this point, you may see that the link is up but this is the tunnel to the SD-WAN Gateway over the Internet path and not the tunnel to the hub. We will need to enable Cloud VPN to enable the tunnel from the branch to the hub to be established.
You are now ready to build the tunnel from the branch into the hub.
Enable Cloud VPN and Edge to SD-WAN Hub tunnel
- Step 1:Go to the Configure > Profiles, select Quick Start VPN Profile and go to the Device tab. Enable the Cloud VPN and do the following.
- Under Branch to Hubs, check the Enable checkbox.
- Under Branch to Branch VPN, check the Enable checkbox.
- Under Branch to Branch VPN, uncheck the Use Cloud Gateways checkbox. Doing this will disable the data plane through the SD-WAN Gateway for Branch to Branch VPN. The Branch to Branch traffic will first go through one of the hubs (in the ordered list which you will specify next) while the direct Branch to Branch tunnel is being established.
- At this point, the direct tunnel between the branch and the hub SD-WAN Edges should come up. The debug command will now also show the direct tunnel between the branch and the hub. The below example is from the SILVER1-VCE. Note that the additional tunnels to 18.104.22.168 and 172.31.2.1. These are the direct tunnels to the hub SD-WAN Edge (GE2 over public Internet and GE3 over private link).
Configure and Activate Bronze 1 Site
This step helps create a Bronze site--a dual Internet site with one DIA and one broadband. Below is an example of the wiring and IP address information. The BRONZE1-VCE SD-WAN Edge LAN and activate the SD-WAN Edge. There is no configuration required on the WAN because it uses DHCP for both WAN interfaces.
Configure and Activate Hub 2
Configure the Hub 2 SD-WAN Edge to Reach the Internet
- Connect a PC to the SD-WAN Edge and use the browser to point to http://192.168.2.1.
- Configure the hub SD-WAN Edge to reach the Internet by configuring the first WAN interface, GE2.
Add the Hub 2 SD-WAN Edge to the SD-WAN Orchestrator and Activate
In this step, you will create the second hub SD-WAN Edge, called DC2.VCE.
- On the SD-WAN Orchestrator, go to Configure > Edges, select New Edge to add a new SD-WAN Edge.
- Go to Configure > Edges, select the SD-WAN Edge that you just created, then go to the Device tab to configure the same Interface and IP you configured in previous step.
Important: Since we are deploying the SD-WAN Edge in one-arm mode (same physical interface but there will be multiple over tunnels from this interface), it is important to specify the WAN Overlay to be User Defined.
- At this point, you need to create the overlay. Under WAN Settings, click Add User Defined WAN Overlay.
- Create an overlay across the public link. In our example, we will use the next-hop IP of 172.29.0.4 to reach the Internet through the firewall. The firewall is already configured to NAT the traffic to 22.214.171.124.
- Add the second overlay across the private network. In this example, we specify the next-hop router 172.29.0.1 and also specify the bandwidth since this is the MPLS leg and DC2-VCE is a hub. Add a static route to the LAN side subnet, 172.30.128.0/24 through GE2 (see the following screen capture).
- Activate the SD-WAN Edge. After the activation is successful, come back to the Device tab under the edge level configuration. Note the Public IP field is now populated. You should now see the links in the Monitor > Edges, under the Overview tab.
- (Optional) Configure the LAN Interface with Management IP: Go to Configure > Edges, select DC2-VCE. Navigate to the Device tab and scroll down to the VLAN Settings section. Click Edit. Configure the IP address of the LAN and Management interfaces.
Add the Hub 2 SD-WAN Edge to the Hub List in the Quick Start VPN Profile
- Go to Configure > Profiles and select the profile Quick Start VPN.
- Go to the Device tab and add this new SD-WAN Edge to a list of hubs.