This document provides instructions on how to upgrade the VMware Partner Gateway from the 3.3.2 or 3.4 release to the 4.0 release.

The SD-WAN Gateway appliance includes the following changes in the 4.0 release:

  • A new system disk layout based on LVM to allow more flexibility in volume management
  • A new kernel version
  • New and upgraded base OS packages
  • Improved security hardening based on Center for Internet Security benchmarks
The SD-WAN Gateway appliance includes the following system changes in the 4.0 release:
  • ifupdown has been deprecated in favor of https://netplan.io/
    • ifup and ifdown are no longer available
    • Network configuration is now in /etc/netplan vs /etc/network/
    • etc/network/ifup.d and /etc/network/ifdown.d no longer work. Network-dispatcher locations should be used /usr/lib/networkd-dispatcher (dormant.d, no-carrier.d, off.d, routable.d)
  • Substantial changes to cloud-init. Cloud-init deployment scripts must be reviewed and tested for compatibility
  • net-tools (ifconfig, netstat, etc) are considered “deprecated” and may be removed in the future versions

Network Configuration

ifupdown has been deprecated in favor of https://netplan.io/. Network configuration has moved from /etc/network to /etc/netplan.

Example network configuration (whitespace is important!) - /etc/netplan/50-cloud-init.yaml: 
network: 
  version: 2 
  ethernets: 
    eth0:
      addresses: 
        - 192.168.151.253/24 
      gateway4: 192.168.151.1
      nameservers: 
        addresses:
          - 8.8.8.8 
          - 8.8.4.4 
        search: [] 
      routes: 
        - to: 192.168.0.0/16
          via: 192.168.151.254
          metric: 100

     eth1:
      addresses: 
        - 192.168.152.251/24 
      gateway4: 192.168.152.1
      nameservers: 
        addresses: 
          - 8.8.8.8 
        search: []
Network configuration is regenerated on every boot. To make changes to the location configuration, deactivate the Cloud-init network configuration. 
echo 'network: {config: disabled}' > /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg

Cloud-init

Cloud-init was upgraded to version 20.2. More information on Cloud-init can be found here: https://cloudinit.readthedocs.io/en/stable/index.html

Example 1: Simple

meta-data:

instance-id: vcg1

local-hostname: vcg1

user-data: 
#cloud-config 
hostname: vcg1 
password: Velocloud123
chpasswd: {expire: False} 
ssh_pwauth: True

Example 2: New-style network configuration (network-config file)

meta-data: 
instance-id: vcg1 
local-hostname: vcg1
user-data: 
#cloud-config
hostname: vcg1
password: Velocloud123
chpasswd: {expire: False}
ssh_pwauth: True
ssh_authorized_keys:
  - ssh-rsa  …  rsa-key

velocloud: 
  vcg: 
    vco: demo.velocloud.net 
    activation_code: F54F-GG4S-XGFI 
    vco_ignore_cert_errors: false 

runcmd:
  - 'echo “Welcome to VeloCloud”'

network-config Example 1: 

version: 2
ethernets:
  eth0:
    addresses: 
      - 192.168.152.55/24
    gateway4: 192.168.152.1
    nameservers: 
      addresses:
        - 192.168.152.1 
  eth1:
    addresses:
      - 192.168.151.55/24
    gateway4: 192.168.151.1
    nameservers: 
      addresses:
        - 192.168.151.1

network-config Example 2:

NOTE: If multiple interfaces are present on the Gateway and need an interface to be selected as a preferred interface for the default gateway, the below configuration (with the metric value) can be used to select the correct interface.

version: 2
ethernets:
eth0:
  addresses: [192.168.82.1/24]
eth1:
  addresses: [70.150.1.1/24]
  routes:
  - {metric: 1, to: 0.0.0.0/0, via: 70.150.1.254}
eth2:
  addresses: [70.155.1.1/24]
  routes:
  - {metric: 2, to: 0.0.0.0/0, via: 70.155.1.254}

Net-tools

Net-tools utilities like ifconfig, netstat, route, etc. are considered “deprecated.” Net-tools suggested replacements are shown in the table below. These commands only display information for the Linux Host and not for the SD-WAN Overlay Network. NOTE: For more information, type: man ip.

Old Net-tool Utilities New Corresponding Net-tool Utilities
arp ip n (ip neighbor)
ifconfig ip a (ip addr), ip link, ip -s (ip -stats)
nameif ip link, ifrename
netstat ss, ip route (for netstat-r), ip -s link (for netstat -i), ip maddr (for netstat-g)
route ip r (ip route)

Sample Command Output for Net-tool Utilities

The sample output is confirmation that the command is successful. Sample command outputs for ip n (ip neighbor), ip a (ipaddr), and ip link are shown below.

ip n (ip neighbor): 
root@SS-gateway-1:~# ip n 
192.168.0.100 dev eth2 lladdr 00:50:56:84:85:d4 REACHABLE 
192.168.0.250 dev eth2 lladdr 00:50:56:84:97:66 REACHABLE 
13.1.1.2 dev eth0 lladdr 00:50:56:84:e7:fa REACHABLE 
root@SS-gateway-1:~#
ip a (ipaddr): 
root@SS-gateway-1:~# ip a 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 
    inet 127.0.0.1/8 scope host lo 
       valid_lft forever preferred_lft forever 
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever 
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 4096 
    link/ether 00:50:56:84:a0:09 brd ff:ff:ff:ff:ff:ff 
    inet 13.1.1.1/24 brd 13.1.1.255 scope global eth0 
       valid_lft forever preferred_lft forever 
    inet6 fe80::250:56ff:fe84:a009/64 scope link 
       valid_lft forever preferred_lft forever 
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 
    link/ether 00:50:56:84:a6:ab brd ff:ff:ff:ff:ff:ff 
    inet 101.101.101.1/24 brd 101.101.101.255 scope global eth1 
       valid_lft forever preferred_lft forever 
    inet6 fe80::250:56ff:fe84:a6ab/64 scope link 
       valid_lft forever preferred_lft forever 
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 
    link/ether 00:50:56:84:bc:75 brd ff:ff:ff:ff:ff:ff 
    inet 192.168.0.201/24 brd 192.168.0.255 scope global eth2 
       valid_lft forever preferred_lft forever 
    inet6 fe80::250:56ff:fe84:bc75/64 scope link 
       valid_lft forever preferred_lft forever 
6: gwd1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 4096 
    link/none 
    inet 169.254.129.1/32 scope global gwd1 
       valid_lft forever preferred_lft forever 
    inet6 fe80::27d5:9e46:e7f7:7198/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever 
root@SS-gateway-1:~#
ip link 
root@SS-gateway-1:~# ip link 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 4096 
    link/ether 00:50:56:84:a0:09 brd ff:ff:ff:ff:ff:ff 
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 
    link/ether 00:50:56:84:a6:ab brd ff:ff:ff:ff:ff:ff 
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 
    link/ether 00:50:56:84:bc:75 brd ff:ff:ff:ff:ff:ff 
6: gwd1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN mode DEFAULT group default qlen 4096 
    link/none 
root@SS-gateway-1:~#

Upgrade Considerations

Note: The below steps are based on the assumption that you want to keep the same IP address and SD-WAN Gateway name for the new SD-WAN Gateway deployed in the 4.0 release. However, if you want to create a new SD-WAN Gateway with a different IP address and, you can follow the new SD-WAN Gateway procedures.

Due to substantial changes to the disk layout and system files, an in-place upgrade is not possible from older releases to the 4.0 release. The migration will require deploying new 4.0 SD-WAN Gateway systems and decommissioning systems running older code.

For VPN SD-WAN Gateways or NAT SD-WAN Gateways with well-known public IP addresses, adhere to the following procedure below if the public IP of the SD-WAN Gateway must be preserved.

Procedure: (VNP or NAT SD-WAN Gateways with Well-Known Public IP Addresses)
  1. Launch the new SD-WAN Gateway system based on the 4.0 release image. Refer to the deployment guide for your platform for more information (Gateway Installation Procedures).
  2. Shutdown the old SD-WAN Gateway system. (Bring down the old SD-WAN Gateway VM (either by running the “sudo poweroff” command on the CLI console, or by powering off from the available Hypervisor options).
  3. Migrate the public IP to the new system: update the NAT record to point to the new SD-WAN Gateway system, or configure the public IP on the new SD-WAN Gateway network interface. Deploy the new Gateway with the Cloud-int examples given above using the same IP address as the previous SD-WAN Gateway.
  4. Obtain the activation key from the existing SD-WAN Gateway record in the SD-WAN Orchestrator (as described in the steps below).
    1. From the SD-WAN Orchestrator, select Gateways from the left navigation panel.
    2. From the Gateways screen, click a SD-WAN Gateway to select it.
    3. From the screen of the chosen SD-WAN Gateway, click the down arrow next to the SD-WAN Gateway name to open the information box.
    4. The Activation Key is located at the bottom of the information box, as shown in the image below.

  5. Set the following system property “gateway.activation.validate.deviceId” to False, as shown in the image below. Refer to the System Properties section in the VMware SD-WAN Operator Guide, if necessary for more information.

  6. Re-activate the new SD-WAN Gateway system: from the CLI console run: “sudo /opt/vc/bin/activate.py -s <vco_address> <activation_code>”
  7. Restore the following system property “gateway.activation.validate.deviceId” to the original value (if necessary).

    The SD-WAN Gateway is now registered and ready to receive a connection from the Edges.

Note: The SD-WAN Gateway reactivation can be performed via Cloud-int, as described in the User Data section in this document.

Activation Example Output

root@gateway/opt/vc# /opt/vc/bin/activate.py FLM6-CSV6-REJS-XFR5 -i -s 169.254.8.2

Activation successful, VCO overridden back to 169.254.8.2 root@SS1-gateway-2:/opt/vc#

SD-WAN Gateways Without Well-known Public IPs

This section is only for SD-WAN Gateways without a well-known public IP, such as, VPN SD-WAN Gateways. If this scenario applies, follow the procedure below.

Procedure: ( SD-WAN Gateways Without Well-known Public IPs)
  1. Launch a new SD-WAN Gateway system. Refer to the deployment guide for your platform if necessary (Gateway Installation Procedures).
  2. Activate a new SD-WAN Gateway system.
  3. Add new SD-WAN Gateway to the SD-WAN Orchestrator SD-WAN Gateway pool. Refer to "Gateway Management" section in the VMware SD-WAN Operator Guide for more details.
    1. The SD-WAN Gateway is now registered and ready to receive a connection from the Edges.
  4. Remove the old SD-WAN Gateway from SD-WAN Orchestrator SD-WAN Gateway pool. Refer to the "Gateway Management" section in VMware SD-WAN Operator Guide for more information.
  5. Decommission the old SD-WAN Gateway VM. (Remove the SD-WAN Gateway record from the SD-WAN Orchestrator and decommission the VM instance).

Obtaining Gateway Activation Key Via API

To deploy using the API Method, use the following: “network/getNetworkGateways”

Sample response:

{"jsonrpc":"2.0","result":[{"id":1, "activationKey":"69PX-YHY2-N5PZ-G3UW …

Configure Handoff Interface in Dataplane

VMware SD-WAN Gateway Network Configuration

In the example featuring figure below (VRF/VLAN Hand Off to PE), we assume eth0 is the interface facing the public network (Internet) and eth1 is the interface facing the internal network (customer VRF through the PE). BGP peering configuration is managed on the VCO on a per customer/VRF basis under “Configure > Customer”. Note that the IP address of each VRF is configurable per customer. The IP address of the management VRF inherits the IP address configured on the SD-WAN Gateway interface in Linux.

A management VRFis created on the SD-WAN Gateway and is used to send periodic ARP refresh to the default Gateway IP to determine the next-hop MAC. It is recommended that a dedicated VRF is set up on the PE router for this purpose. The same management VRF can also be used by the PE router to send IP SLA probe to the SD-WAN Gateway to check for SD-WAN Gateway status (SD-WAN Gateway has stateful ICMP responder that will respond to ping only when its service is up). BGP Peering is not required on the Management VRF. If a Management VRF is not set up, then you can use one of the customer VRFs as Management VRF, although this is not recommended.

Step 1: Edit the /etc/config/gatewayd and specify the correct VCMP and WAN interface. VCMP interface is the public interface that terminates the overlay tunnels. The WAN interface in this context is the handoff interface. 
      "vcmp.interfaces":[
                   "eth0"
               ], 
         (..snip..)

               "wan": [
                   "eth1"
               ],

Step 2: Configure the Management VRF. This VRF is used by the SD-WAN Gateway to ARP for next-hop MAC (PE router). The same next-hop MAC will be used by all the VRFs created by the SD-WAN Gateway. You need to configure the Management VRFparameter in /etc/config/gatewayd.

The Management VRF is the same VRF used by the PE router to send IP SLA probe to. The SD-WAN Gateway only responds to the ICMP probe if the service is up and if there are edges connected to it. Below table explains each parameter that needs to be defined. This example has Management VRF on the 802.1q VLAN ID of 1000.

mode QinQ (0x8100), QinQ (0x9100), none, 802.1Q, 802.1ad
c_tag C-Tag value for QinQ encapsulation or 802.1Q VLAN ID for802.1Q encapsulation
s_tag S-Tag value for QinQ encapsulation
interface Handoff interface, typically eth1 
      "vrf_vlan": {
          "tag_info": [
             {
                 "resp_mode": 0,
                 "proxy_arp": 0,
                 "c_tag": 1000, 
                 "mode": "802.1Q",
                 "interface": "eth1",
                 "s_tag": 0
             }
          ]
      },

Step 3: Edit the /etc/config/gatewayd-tunnel to include both interfaces in the wan parameter. Save the change.

wan="eth0 eth1"

Remove Blocked Subnets

By default, the SD-WAN Gateway blocks traffic to 10.0.0.0/8 and 172.16.0.0/14. We will need to remove them before using this SD-WAN Gateway because we expect SD-WAN Gateway to be sending traffic to private subnets as well. If you do not edit this file, when you try to send traffic to blocked subnets, you will find the following messages in /var/log/gwd.log

2015-12-18T12:49:55.639  ERR     [NET] proto_ip_recv_handler:494 Dropping packet destined for
10.10.150.254, which is a blocked subnet.
2015-12-18T12:52:27.764  ERR     [NET] proto_ip_recv_handler:494 Dropping packet destined for 
10.10.150.254, which is a blocked subnet. [message repeated 48 times]
2015-12-18T12:52:27.764  ERR     [NET] proto_ip_recv_handler:494 Dropping packet destined for 
10.10.150.10, which is a blocked subnet.
Step 1: On SD-WAN Gateway, edit /opt/vc/etc/vc_blocked_subnets.jsonfile. You will find that this file first has the following. 
[
            {
                        "network_addr": "10.0.0.0",
                        "subnet_mask": "255.0.0.0"
            },
            {
            "network_addr": "172.16.0.0",
            "subnet_mask": "255.255.0.0"
            }
]
Step 2: Remove the two networks. The file should look like below after editing. Save the change. 
[
]

Step 3: Restart the SD-WAN Gateway process by sudo /opt/vc/bin/vc_procmon restart.