The VMware Partner Gateway provides different configuration options. A worksheet should be prepared before the installation of the Gateway.

Worksheet

SD-WAN Gateway
  • Version
  • OVA/QCOW2 file location
  • Activation Key
  • SASE Orchestrator (IP ADDRESS/vco-fqdn-hostname)
  • Hostname
Hypervisor Address/Cluster name
Storage Root volume datastore (>40GB recommended)
CPU Allocation CPU Allocation for KVM/VMware.
Installation Selections DPDK—This is optional and enabled by default for higher throughput. If you choose to deactivate DPDK, contact VMware Customer Support.
OAM Network
  • DHCP
  • OAM IPv4 Address
  • OAM IPv4 Netmask
  • DNS server - primary
  • DNS server - secondary
  • Static Routes
ETH0 – Internet Facing Network
  • IPv4 Address
  • IPv4 Netmask
  • IPv4 Default gateway
  • DNS server - primary
  • DNS server - secondary
Handoff (ETH1) - Network
  • MGMT VRF IPv4 Address
  • MGMT VRF IPv4 Netmask
  • MGMT VRF IPv4 Default gateway
  • DNS server - primary
  • DNS server - secondary
  • Handoff (QinQ (0x8100), QinQ (0x9100), none, 802.1Q, 802.1ad)
  • C-TAG
  • S-TAG
Console access
  • Console_Password
  • SSH:
    • Enabled (yes/no)
    • SSH public key
NTP
  • Public NTP:
    • server 0.ubuntu.pool.ntp.org
    • server 1.ubuntu.pool.ntp.org
    • server 2.ubuntu.pool.ntp.org
    • server 3.ubuntu.pool.ntp.org
  • Internal NTP server - 1
  • Internal NTP server - 2

SD-WAN Gateway Section

Most of the SD-WAN Gateway section is self-explanatory.

SD-WAN Gateway
  • Version - Should be same or lower than SASE Orchestrator
  • OVA/QCOW2 file location - Plan ahead the file location and disk allocation
  • Activation Key
  • SASE Orchestrator (IP ADDRESS/vco-fqdn-hostname)
  • Hostname - Valid Linux Hostname “RFC 1123”

Creating a Gateway and Getting the Activation Key

  1. In the Operator portal, click the Gateway Management tab and go to Gateway Pools in the left navigation pane. The Gateway Pools page appears. Create a new SD-WAN Gateway pool. For running SD-WAN Gateway in the Service Provider network, check the Allow Partner Gateway checkbox. This will enable the option to include the partner gateway in this gateway pool.

  2. In the Operator portal, click Gateway Management > Gateways and create a new gateway and assign it to the pool. The IP address of the gateway entered here must match the public IP address of the gateway. If unsure, you can run curl ipinfo.io/ip from the SD-WAN Gateway which will return the public IP of the SD-WAN Gateway.

  3. Make a note of the activation key and add it to the worksheet.

Activate Partner Gateway Mode

  1. In the Operator portal, click Gateway Management > Gateways and select the SD-WAN Gateway. Check the Partner Gateway check box to activate the Partner Gateway.

    There are additional parameters that can be configured. The most common are the following:
    • Advertise 0.0.0.0/0 with no encrypt – This option will enable the Partner Gateway to advertise a path to Cloud traffic for the SAAS Application. Since the Encrypt Flag is off, it will be up to the customer configuration on the business policy to use this path or not.
    • The second recommend option is to advertise the SASE Orchestrator IP as a /32 with encrypt.

      This will force the traffic that is sent from the Edge to the SASE Orchestrator to take the Gateway Path. This is recommended since it introduces predictability to the behavior that the SD-WAN Edge takes to reach the SASE Orchestrator.

Networking

Important: The following procedure and screenshots focus on the most common deployment, which is the 2-ARM installation for the Gateway. The addition of an OAM network is considered in the section titled, OAM Interface and Static Routes.

vcg-partner-gateway-pe-image

The diagram above is a representation of the SD-WAN Gateway in a 2-ARM deployment. In this example, we assume eth0 is the interface facing the public network (Internet) and eth1 is the interface facing the internal network (handoff or VRF interface).

Note: A Management VRF is created on the SD-WAN Gateway and is used to send a periodic ARP refresh to the default gateway IP to check that the handoff interface is physically up and speed ups the failover time. It is recommended that a dedicated VRF is set up on the PE router for this purpose. Optionally, the same management VRF can also be used by the PE router to send an IP SLA probe to the SD-WAN Gateway to check for SD-WAN Gateway status ( SD-WAN Gateway has a stateful ICMP responder that will respond to ping only when its service is up).If a dedicated Management VRF is not set up, then you can use one of the customer VRFs as a Management VRF, although this is not recommended.

For the Internet Facing network, you only need the basic network configuration.

ETH0 – Internet Facing Network
  • IPv4_Address
  • IPv4_Netmask
  • IPv4_Default_gateway
  • DNS_server_primary
  • DNS_server_secondary

For the Handoff interface, you must know which type of handoff you want to configure and the Handoff configuration for the Management VRF.

ETH1 – HANDOFF Network
  • MGMT_IPv4_Address
  • MGMT_IPv4_Netmask
  • MGMT_IPv4_Default gateway
  • DNS_Server_Primary
  • DNS_Server_Secondary
  • Handoff (QinQ (0x8100), QinQ (0x9100), none, 802.1Q, 802.1ad)
  • C_TAG_FOR_MGMT_VRF
  • S_TAG_FOR_MGMT_VRF

Console Access

Console access
  • Console_Password
  • SSH:
    • Enabled (yes/no)
    • SSH public key

In order to access the Gateway, a console password and/or an SSH public key must be created.

Cloud-Init Creation

The configuration options for the gateway that we defined in the worksheet are used in the cloud-init configuration. The cloud-init config is composed of two main configuration files, the metadata file and the user-data file. The meta-data contains the network configuration for the Gateway, and the user-data contains the Gateway Software configuration. This file provides information that identifies the instance of the SD-WAN Gateway being installed.

Below are the templates for both meta_data and user_data files. Network-config can be omitted and network interfaces will be configured via DHCP by default.

Fill the templates with the information in the worksheet. All #_VARIABLE_# must be replaced, and check any #ACTION#

Important: The template assumes you are using static configuration for the interfaces. It also assumes that you are either using SR-IOV for all interfaces or none. For more information, see OAM - SR-IOV with vmxnet3 or SR-IOV with VIRTIO.
meta-data file:
instance-id: #_Hostname_#
local-hostname: #_Hostname_#
network-config file (leading spaces are important!)
Note: The network-config examples below describe configuring the virtual machine with two network interfaces, eth0 and eth1, with static IP addresses. eth0 is the primary interface with a default route and a metric of 1. eth1 is the secondary interface with a default route and a metric of 13. The system will be configured with password authentication for the default user (vcadmin). In addition, the SSH authorized key will be added for the vcadmin user. The SD-WAN Gateway will be automatically activated to the SASE Orchestrator with the provided activation_code.
version: 2
ethernets: 
   eth0:
      addresses:
         - #_IPv4_Address_/mask#       
      gateway4: #_IPv4_Gateway_# 
      nameservers:
         addresses:
            - #_DNS_server_primary_#
            - #_DNS_server_secondary_# 
         search: []
      routes:
         - to: 0.0.0.0/0
           via: #_IPv4_Gateway_#
           metric: 1 
   eth1:
      addresses:
         - #_MGMT_IPv4_Address_/Mask#        
      gateway4: 192.168.152.1 
      nameservers:
         addresses:
            - #_DNS_server_primary_#
            - #_DNS_server_secondary_# 
         search: []
      routes:
         - to: 0.0.0.0/0
           via: #_MGMT_IPv4_Gateway_# 
           metric: 13
user-data file:
#cloud-config
hostname: #_Hostname_#
password: #_Console_Password_#
chpasswd: {expire: False}
ssh_pwauth: True
ssh_authorized_keys:
  - #_SSH_public_Key_#
velocloud:
  vcg:
    vco: #_VCO_#
    activation_code: #_Activation_Key#
    vco_ignore_cert_errors: false

The default username for the password that is configured in the user-data file is 'vcadmin'. Use this default username to login to the SD-WAN Gateway for the first time.

Important: Always validate user-data and metadata, using http://www.yamllint.com/ network-config should also be a valid network configuration ( https://cloudinit.readthedocs.io/en/19.4/topics/network-config.html). Sometimes when working with the Windows/Mac copy paste feature, there is an issue of introducing Smart Quotes which can corrupt the files. Run the following command to make sure you are smart quote free.
sed s/[”“]/'"'/g /tmp/user-data > /tmp/user-data_new

Create ISO File

Once you have completed your files, they need to be packaged into an ISO image. This ISO image is used as a virtual configuration CD with the virtual machine. This ISO image, called vcg01-cidata.iso, is created with the following command on a Linux system:

genisoimage -output vcg01-cidata.iso -volid cidata -joliet -rock user-data meta-data network-config

If you are on a MAC OSX, use the command below instead:

mkisofs -output vcg01-cidata.iso -volid cidata -joliet -rock {user-data,meta-data,network-config}

This ISO file which we will call #CLOUD_INIT_ISO_FILE# is going to be used in both OVA and VMware installations.