This section describes the key concepts and the core configurations of SASE Orchestrator.
Configurations
The VMware service has four core configurations that have a hierarchical relationship. Create these configurations in the SASE Orchestrator.
The following table provides an overview of the configurations:
Configuration | Description |
---|---|
Network | Defines basic network configurations, such as IP addressing and VLANs. Networks can be designated as Corporate or Guest and there can be multiple definitions for each network. |
Network Services | Define several common services used by the VMware Service, such as BackHaul Sites, Cloud VPN Hubs, Non SD-WAN Destinations, Cloud Proxy Services, DNS services, and Authentication Services. |
Profile | Defines a template configuration that can be applied to multiple Edges. A Profile is configured by selecting a Network and Network Services. A profile can be applied to one or more Edge models and defines the settings for the LAN, Internet, Wireless LAN, and WAN Edge Interfaces. Profiles can also provide settings for Wi-Fi Radio, SNMP, Netflow, Business Policies and Firewall configuration. |
Edge | Configurations provide a complete group of settings that can be downloaded to an Edge device. The Edge configuration is a composite of settings from a selected Profile, a selected Network, and Network Services. An Edge configuration can also override settings or add ordered policies to those defined in the Profile, Network, and Network Services. |
The following image shows a detailed overview of the relationships and configuration settings of multiple Edges, Profiles, Networks, and Network Services.
A single Profile can be assigned to multiple Edges. An individual Network configuration can be used in more than one Profile. Network Services configurations are used in all Profiles.
Networks
- Corporate or trusted networks, which can be configured with either overlapping addresses or non-overlapping addresses.
- Guest or untrusted networks, which always use overlapping addresses.
You can define multiple Corporate and Guest Networks, and assign VLANs to both the Networks.
With overlapping addresses, all Edges that use the Network have the same address space. Overlapping addresses are associated with non-VPN configurations.
With non-overlapping addresses, an address space is divided into blocks of an equal number of addresses. Non-overlapping addresses are associated with VPN configurations. The address blocks are assigned to Edges that use the Network so that each Edge has a unique set of addresses. Non-overlapping addresses are required for Edge-to-Edge and Edge -to- Non SD-WAN Destination VPN communication. The VMware configuration creates the required information to access an Enterprise Data Center Gateway for VPN access. An administrator for the Enterprise Data Center Gateway uses the IPSec configuration information generated during Non SD-WAN Destination VPN configuration to configure the VPN tunnel to the Non SD-WAN Destination.
The following image shows unique IP address blocks from a Network configuration being assigned to SD-WAN Edge.
Network Services
You can define your Enterprise Network Services and use them across all the Profiles. This includes services for Authentication, Cloud Proxy, Non SD-WAN Destinations, and DNS. The defined Network Services are used only when they are assigned to a Profile.
Profiles
A profile is a named configuration that defines a list of VLANs, Cloud VPN settings, wired and wireless Interface Settings, and Network Services such as DNS Settings, Authentication Settings, Cloud Proxy Settings, and VPN connections to Non SD-WAN Destinations. You can define a standard configuration for one or more SD-WAN Edges using the profiles.
Profiles provide Cloud VPN settings for Edges configured for VPN. The Cloud VPN Settings can activate or deactivate Edge-to-Edge and Edge-to- Non SD-WAN Destination VPN connections.
Profiles can also define rules and configuration for the Business Policies and Firewall settings.
Edges
You can assign a profile to an Edge and the Edge derives most of the configuration from the Profile.
You can use most of the settings defined in a Profile, Network, or Network Services without modification in an Edge configuration. However, you can override the settings for the Edge configuration elements to tailor an Edge for a specific scenario. This includes settings for Interfaces, Wi-Fi Radio Settings, DNS, Authentication, Business Policy, and Firewall.
In addition, you can configure an Edge to augment settings that are not present in Profile or Network configuration. This includes Subnet Addressing, Static Route settings, and Inbound Firewall Rules for Port Forwarding and 1:1 NAT.
Orchestrator Configuration Workflow
VMware supports multiple configuration scenarios. The following table lists some of the common scenarios:
Scenario | Description |
---|---|
SaaS | Used for Edges that do not require VPN connections between Edges, to a Non SD-WAN Destination, or to a VMware SD-WAN Site. The workflow assumes the addressing for the Corporate Network using overlapping addresses. |
Non SD-WAN Destination via VPN | Used for Edges that require VPN connections to a Non SD-WAN Destination such as Amazon Web Services, Zscaler, Cisco ISR, or ASR 1000 Series. The workflow assumes the addressing for the Corporate Network using non-overlapping addresses and the Non SD-WAN Destinations are defined in the profile. |
VMware SD-WAN Site VPN | Used for Edges that require VPN connections to a VMware SD-WAN Site such as an Edge Hub or a Cloud VPN Hub. The workflow assumes the addressing for the Corporate Network using non-overlapping addresses and the VMware SD-WAN Sites are defined in the profile. |
For each scenario, perform the configurations in the SASE Orchestrator in the following order:
Step 1: Network
Step 2: Network Services
Step 3: Profile
Step 4: Edge
The following table provides a high-level outline of the Quick Start configuration for each of the workflows. You can use the preconfigured Network, Network Services, and Profile configurations for Quick Start Configurations. For VPN configurations modify the existing VPN Profile and configure the VMware SD-WAN Site or Non SD-WAN Destination. The final step is to create a new Edge and activate it.
Quick Start Configuration Steps |
SaaS | Non SD-WAN Destination VPN |
VMware SD-WAN Site VPN |
---|---|---|---|
Step 1: Network | Select Quick Start Internet Network | Select Quick Start VPN Network | Select Quick Start VPN Network |
Step 2: Network Service | Use pre-configured Network Services | Use pre-configured Network Services | Use pre-configured Network Services |
Step 3: Profile | Select Quick Start Internet Profile | Select Quick Start VPN Profile Activate Cloud VPN and configure Non SD-WAN Destinations |
Select Quick Start VPN Profile Activate Cloud VPN and configure VMware SD-WAN Sites |
Step 4: Edge | Add New Edge and activate the Edge | Add New Edge and activate the Edge |
Add New Edge and activate the Edge |
For more information, see Activate SD-WAN Edges.