Vmware-Sd-Wan-Partner-Guide 5.1
Vmware-Sd-Wan-Partner-Guide 5.1
Guide
VMware SD-WAN 5.1
VMware SD-WAN Partner Guide
You can find the most up-to-date technical documentation on the VMware website at:
https://docs.vmware.com/
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
©
Copyright 2022 VMware, Inc. All rights reserved. Copyright and trademark information.
VMware, Inc. 2
Contents
2 What's New 8
3 Introduction 10
4 Supported Browsers 11
8 Monitor Events 67
10 Roles 75
Functional Roles 75
Composite Roles 75
Manage Composite Roles 76
Create New Composite Roles 78
VMware, Inc. 3
VMware SD-WAN Partner Guide
Role Customization 80
Create New Customized Package 81
Upload Customized Package 85
Monitor Role Customization Events 86
List of Functional Role Privileges 86
VMware, Inc. 4
VMware SD-WAN Partner Guide
VMware, Inc. 5
VMware SD-WAN Partner Guide
23 VMware Partner Gateway Upgrade and Migration 3.3.2 or 3.4 to 4.0 294
VMware, Inc. 6
About VMware SD-WAN Partner
Guide 1
®
The VMware SD-WAN™ (formerly known as VMware SD-WAN™ by VeloCloud ) Partner Guide
provides information about VMware SD-WAN Orchestrator including how to configure and
manage Customers who use the Orchestrator.
Intended Audience
This guide is intended for IT Partners of SD-WAN Orchestrator, who are familiar with the
Networking configurations and SD-WAN operations.
Beginning with Release 4.4.0, VMware SD-WAN is offered as part of VMware SASE. To access
SASE documentation for Cloud Web Security and Secure Access, along with Release Notes for
version 4.4.0 and later, see VMware SASE.
6 Configure Customers
7 Configure Profiles
9 Activate Edges
11 Monitor Customers
VMware, Inc. 7
What's New
2
What's New in Version 5.1.0
Feature Description
Configure MSP Users Self-Healing feature enables VMware SD-WAN Managed Service Provider (MSP) users to
for Self-Healing activate and configure Self-Healing capabilities at the Customer level. See .Activate Self-
Capabilities Healing for a New Customer and Activate Self-Healing for an Existing Customer.
Features/UI Pages You can now configure the following existing features using the New Orchestrator UI:
Migrated to New n View Partner Information with New Orchestrator UI
Orchestrator UI n Manage Gateways with New Orchestrator UI
n Manage Gateway Pools with New Orchestrator UI
n Request Diagnostic Bundles for Gateways with New Orchestrator UI
n Request Packet Capture Bundle for Gateways with New Orchestrator UI
n Configure Partner Customers with New Orchestrator UI
n Manage Partner Customers with New Orchestrator UI
n Chapter 11 User Management - Partner
n Edge Licensing with New Orchestrator UI
n Chapter 19 Activate SD-WAN Edges using Edge Auto-activation with New Orchestrator UI
Support for Unified User management and global settings that are shared across all Orchestrator services are
Administration of separated out from the SD-WAN service and grouped under Global Settings & Administration.
Orchestrator Services This allow the users to use any Orchestrator service to operate in standalone mode. See
Create New Composite Roles and Manage Composite Roles.
Platform and Modem Support for updating the Platform and Modem Firmware images are available for the
Firmware Updates following Edge device models:
n Platform Firmware images for 6X0 Edge device models and 3X00 Edge device models
(3400/3800/3810).
n Modem Firmware images for 510-LTE (Edge 510LTE-AE, Edge 510LTE-AP) and 610-LTE
(Edge 610LTE-AM, Edge 61LTE-RW).
For more information, see Create New Partner Customer
For a complete list of new and updated sections to the documentation for Administrators, see
VMware SD-WAN Administration Guide.
VMware, Inc. 8
VMware SD-WAN Partner Guide
VMware, Inc. 9
Introduction
3
As a Partner user, you can configure and manage the following:
n Partner Events
n Partner Settings
n Partner Authentication
n Enterprise Customers
Refer to VMware SD-WAN Administration Guide to become familiar with the core function of the
VMware used by an Enterprise IT Administrator for a customer.
VMware, Inc. 10
Supported Browsers
4
The SD-WAN Orchestrator supports the following browsers:
Note For the best experience, VMware recommends Google Chrome or Mozilla Firefox.
Note Starting from VMware SD-WAN version 4.0.0, the support for Internet Explorer has been
deprecated.
VMware, Inc. 11
Log in to SD-WAN Orchestrator
using SSO for Partner User 5
Describes how to log in to SD-WAN Orchestrator using Single Sign On (SSO) as a Partner user.
Prerequisites
n Ensure you have configured the SSO authentication in SD-WAN Orchestrator. For more
information, see Configure Single Sign On for Partner User.
n Ensure you have set up roles, users, and OIDC application for the SSO in your preferred IDPs.
For more information, see Configure an IDP for Single Sign On.
Procedure
VMware, Inc. 12
VMware SD-WAN Partner Guide
3 In the Enter your Organization Domain text box, enter the domain name used for the SSO
configuration and click Sign In.
The IDP configured for the SSO authenticates the user and redirects the user to the
configured SD-WAN Orchestrator URL.
Note
n Once the users log in to the SD-WAN Orchestrator using the SSO, they are not allowed to
login again as native users.
n The user can navigate to the Classic UI by clicking the Open Classic Orchestrator option
located at the top right of the UI screen.
VMware, Inc. 13
Monitor Partner Customers
6
As a Partner User, you can monitor the status of your Customers along with the Edges
connected to the Customers.
This screen shows the Edges and Links for all customers managed by this Partner. Selections can
be made to control the interval for updating the information.
In the Refresh Interval, you can either pause the monitoring or choose the time interval to refresh
the monitoring status.
Customers:
n Number of Customers that are UP, DOWN, and UNACTIVATED. Click the number to view the
corresponding Customer details in the bottom panel.
n In the bottom panel, click the link to the Customer name to navigate to the Enterprise portal,
where you can view and configure other settings corresponding to the selected customer.
For more information see the VMware SD-WAN Administration Guide.
Edges:
n Number of Edges that are DOWN, DEGRADED, CONNECTED, and UNACTIVATED. Click the
number to view the corresponding details of the Edges in the bottom panel.
VMware, Inc. 14
VMware SD-WAN Partner Guide
n In the bottom panel, place the mouse cursor on the Down Arrow displayed next to the
number of Edges, to view the details of each Edge. Click the link to the Edge name to
navigate to the Enterprise Monitoring portal, where you can view more details corresponding
to the selected Edge. For more information see the VMware SD-WAN Administration Guide.
You can also view the Customers and associated Edges using the new Orchestrator UI.
The new Orchestrator UI does not provide the option for Auto Refresh. You can refresh the
Window manually to view the current data.
VMware, Inc. 15
Manage Partner Customers
7
As a Partner Super user, you can manage the Partner Customers, configure the customer
capabilities and other customer settings using the Manage Customers tab in the Partner portal.
In the Partner portal, click Manage Customers > Actions to perform the following activities.
n New Customer: Creates a new customer. See Create New Partner Customer.
n Clone Customer: Creates a new customer, by cloning the existing configurations from the
selected customer. See Clone a Partner Customer.
n Modify Customer: Navigates to the System Settings in the Enterprise portal, where you
can configure other settings corresponding to the selected customer. You can also click a
customer name to navigate to the Enterprise portal. For more information see the VMware
SD-WAN Administration Guide.
n Delete Customer: Deletes the selected customers. Ensure that you have removed all the
Edges associated to the selected customer, before deleting the customer.
n Support Email: Selected Customer: Sends customer support messages to the selected
customer.
n Assign software image - Adds a software image for the selected customers.
Note This option is available only for Partner Customers with Edge Image Management
feature-enabled.
n Update Edge Image Management - Allows you to activate or deactivate the Edge Image
Management feature for the selected customers.
n Update Customer Alerts: Allows to activate or deactivate the alerts for the selected
customers.
n Export All Customers: Exports the details of all the customers in the Partner portal to a CSV
file. The default separator used is comma (,) and you can choose to edit the separator to any
other special character.
n Export Customer Edge Inventory - Exports the inventory details of all the Edges associated
with all the customers to a CSV file. The default separator used is comma (,) and you can
choose to edit the separator to any other special character.
VMware, Inc. 16
VMware SD-WAN Partner Guide
n Configure Customers
Only Partner Super Users and Partner Standard Admins can create a new Partner customer.
Note An Operator Super user can temporarily deactivate creating new customers by setting
the system property session.options.disableCreateEnterprise to True. If this property is set to
True, the Partner Superusers and Partner Standard Admins cannot create new customers. If you
are not able to create a customer, contact your Operator to enable the option.
1 In the Customers page, click New Partner Customer or click Actions > New Customer.
2 In the New Customer window, enter the following details. You can also choose the Clone
from Customer option to clone the configurations from an existing customer. For more
information, see Clone a Partner Customer.
VMware, Inc. 17
VMware SD-WAN Partner Guide
VMware, Inc. 18
VMware SD-WAN Partner Guide
Customer Information
Option Description
Partner Support Access This option is selected by default and grants access
to the Partner's Support team to view, configure, and
troubleshoot the Edges connected to the customer.
For security reasons, the Support cannot access or view
the user identifiable information.
VeloCloud Support Access This option is selected by default and grants access to the
VMware Support to view, configure, and troubleshoot the
Edges connected to the customer.
For security reasons, the Support cannot access or view
the user identifiable information.
VeloCloud User Management Access Select the checkbox to enable the VMware Support
to assist in user management. The user management
includes options to create users, reset password, and
configure other settings. In this case, the Support has
access to user identifiable information.
Street Address, City, State, Country, ZIP/Postcode Enter relevant address details in the respective fields.
First Name, Last Name, Phone, Mobile Phone Enter the details like name and phone number in the
appropriate fields.
Contact Email Enter the Email address. The alerts on service status are
sent to this Email address.
Customer Configuration
As a Partner Super user, you can manage the software images assigned to a Partner Customer
directly by selecting the relevant Image from the Software Images drop-down list.
You can allow a Partner Customer's Super user to manage the available list of software images
for the customer by enabling Manage Software Image.
VMware, Inc. 19
VMware SD-WAN Partner Guide
Option Description
Manage Software Image Select the checkbox if you want to allow a Partner
Customer's Super user to manage the software images
available for the customer.
After adding the images, you can modify the assigned list
of software images to the enterprise by clicking Modify
under Software Images.
VMware, Inc. 20
VMware SD-WAN Partner Guide
Service Configuration
You can choose the services that the customer can access along with the roles and permissions
available for the selected service.
Note If this section is not available for you, contact your Operator.
n SD-WAN - The customer can access the SD-WAN services. When you select this service, the
following option is available:
Option Description
Edge Licensing Click Add and in the Select Edge Licenses pop-up
window, select and assign the edge licenses from the
available list for the Partner Customer.
n Edge Network Intelligence – You can select this option only when SD-WAN is selected.
When you select tis service, the Edge Network Intelligence Configuration is available. Enter
the maximum number of Edges that can be provisioned as Analytics Edge in the Nodes field.
By default, Unlimited is selected.
Note This option is available only when the Analytics feature is enabled on your SD-WAN
Orchestrator.
n Cloud Web Security – You can select this service only when a SASE PoP Gateway Pool is
selected. Cloud Web Security is a cloud hosted service that protects users and infrastructure
accessing SaaS and Internet applications. For more information, see the VMware Cloud Web
Security Configuration Guide.
n Secure Access – You can select this service only when a SASE PoP Gateway Pool is selected.
Secure Access solution combines the VMware SD-WAN and Workspace ONE services to
provide a consistent, optimal, and secure cloud application access through a network of
worldwide managed service nodes. For more information, see the VMware Secure Access
Configuration Guide.
n Global Settings - By default, Global Settings is selected. This Service Configuration provide
privileges to user management and settings that are shared across all services. You can
choose the services that the customer can access along with the Global Settings (roles and
permissions).
VMware, Inc. 21
VMware SD-WAN Partner Guide
Option Description
Gateway Pool Select an existing Gateway pool from the drop-down list.
For more information on Gateway pools, see Manage
Gateway Pools.
Click Create.
The new customer name is displayed in the Customers page. You can click the customer
name to navigate to the Enterprise portal and add configurations to the customer. For more
information, see Configure Customers and Enterprise Administration section of VMware SD-WAN
Administration Guide available at https://docs.vmware.com/en/VMware-SD-WAN/index.html.
Only Partner Super Users and Partner Standard Admins can clone a Partner customer.
By default, the following configurations are cloned from the selected customer:
n DNS services
n Network Segments
n Authentication services
VMware, Inc. 22
VMware SD-WAN Partner Guide
1 In the Customers page, select the customer you want to clone, and then click Actions > Clone
Customer.
2 In the New Customer window, enter the following details. You can also choose the New
Customer option to create a new customer without cloning the configurations from the
selected customer. See Create New Partner Customer.
VMware, Inc. 23
VMware SD-WAN Partner Guide
VMware, Inc. 24
VMware SD-WAN Partner Guide
Option Description
Additional Clone Attributes In addition to the default cloned configurations, you can
select the following settings to be cloned, as required:
n Security Policy
n Alert Configuration
n Global Routing Preferences
n IAAS Subscriptions
4 Enter the Customer Information and Initial Admin Account details, as described in Create
New Partner Customer.
5 In the Customer Configuration section, the Software Image details are cloned from the
selected customer. If needed, you can modify the cloned configuration settings.
6 In the Service Configuration section, the configurations are cloned from the selected
customer. You can modify the parameters as required.
7 Click Create.
The new customer name is displayed in the Customers page. The customer is already
configured with the cloned settings. You can click the customer name to navigate to the
Enterprise portal and add or modify the configurations. For more information about customer
configurations and settings, see VMware SD-WAN Administration Guide available at VMware
SD-WAN Documentation.
To activate Analytics for a new customer, see Create New Partner Customer.
VMware, Inc. 25
VMware SD-WAN Partner Guide
Prerequisites
For configuring the system properties, contact your Operator Super User.
Results
The new customer's name is displayed in the Customers screen. You can click on the customer
name to navigate to the Enterprise portal and add or modify Analytics configurations for the
customer.
Prerequisites
Ensure that your Operator has setup the required system properties to activate Analytics.
Results
Analytics is activated for the selected customer. You can click on the customer name to navigate
to the Enterprise portal and add or modify Analytics configurations for the customer.
To activate Self-Healing at the Customer level, ensure you have the following prerequisites:
n The VMware Edge Network Intelligence (Analytics) service is activated on the VMware SD-
WAN Orchestrator. For more information on how to activate the ENI service on SD-WAN
Orchestrator, contact your Operator Super User.
n The SD-WAN Orchestrator must be on 5.0.1.0 and the SD-WAN Edges must be running
a minimum of 4.3.1 code. You can review the software image installed on each edge by
navigating to Configure > Edges. The table on the Edges page will have a column that
displays Software version of Edge per customer.
When creating a new SD-WAN Partner customer, VMware SD-WAN Orchestrator allows Partner
Super Users and Partner Standard Admins to activate the Self-Healing functionality for the
customer.
2 Navigate to Customers & Partners > Manage Customers, and then click New Customer.
VMware, Inc. 26
VMware SD-WAN Partner Guide
3 Enter all the mandatory Customer information and Administrative account details and click
Next.
4 Under Services > Secure Access, select the SD-WAN and Edge Network Intelligence (ENI)
services that the Customer can access along with the roles and permissions available for the
selected service.
VMware, Inc. 27
VMware SD-WAN Partner Guide
5 Under the Edge Network Intelligence service section, select the Self Healing checkbox to
allow ENI to provide remediation recommendations to improve application performance.
By default, the Self-Healing feature is not activated for a customer. For more information,
see the Self-Healing Overview section in the VMware Edge Network Intelligence User Guide
published at https://docs.vmware.com/en/VMware-Edge-Network-Intelligence/index.html.
Note You can activate this service only when SD-WAN service is turned on.
Note This option is available only when the Analytics feature is enabled on your SD-WAN
Orchestrator. For more information, see the “Enable VMware Edge Network Intelligence
on a VMware SD-WAN Orchestrator” section in the VMware Edge Network Intelligence
Configuration Guide available at VMware SD-WAN Documentation.
6 Click Add Customer. The new Customer name is displayed on the Customers page. You can
click the Customer name to navigate to the Customer portal and configure Customer settings.
Once the Self-Healing feature is activated for a customer, VMware Edge Network Intelligence
(ENI) monitors and tracks the VMware SD-WAN network for systemic and application
performance issues across Edges provisioned under that customer. ENI then gathers data
regarding Self-Healing actions and triggers remediation recommendations to the users on the
SD-WAN side directly through the incident alert email.
Note Currently, only Manual remediation is supported by ENI. Automatic remediation support is
planned in future releases.
n The VMware Edge Network Intelligence (Analytics) service is activated on the VMware SD-
WAN Orchestrator. For more information on how to activate the ENI service on SD-WAN
Orchestrator, contact your Operator Super User.
n The SD-WAN Orchestrator must be on 5.0.1.0 and the SD-WAN Edges must be running
a minimum of 4.3.1 code. You can review the software image installed on each edge by
navigating to Configure > Edges. The table on the Edges page will have a column that
displays Software version of Edge per customer.
To activate Self-Healing for an existing Partner customer, perform the following steps:
2 In the Partner portal, select a customer, and from the top header, click SD-WAN > Global
Settings.
VMware, Inc. 28
VMware SD-WAN Partner Guide
4 In the Edge Network Intelligence service section, click the Turn On button to activate the ENI
service.
Note You can activate this service only when SD-WAN service is turned on.
5 Click the Configure button. The Edge Network Intelligence Configuration pop-up window
appears.
6 Select the Self Healing checkbox to allow ENI to provide remediation recommendations to
improve application performance. By default, the Self-Healing feature is not activated for
the customer. For more information, see the Self-Healing Overview section in the VMware
Edge Network Intelligence User Guide published at https://docs.vmware.com/en/VMware-
Edge-Network-Intelligence/index.html.
Once the Self-Healing feature is activated for an existing customer, VMware Edge Network
Intelligence (ENI) monitors and tracks the VMware SD-WAN network for systemic and application
performance issues across Edges provisioned under that customer. ENI then gathers data
regarding Self-Healing actions and triggers remediation recommendations to the users on the
SD-WAN side directly through the incident alert email.
Note Currently, only Manual remediation is supported by ENI. Automatic remediation support is
planned in future releases.
Configure Customers
After creating a customer, configure the feature options and settings that the customer can
access. As a Partner Super User, you can choose the settings the partner customer can modify.
VMware, Inc. 29
VMware SD-WAN Partner Guide
When you create a new customer, you are redirected to the Customer Configuration page,
where you can configure the customer settings.
You can also navigate to the Configuration page from the Manage Customers page in the Partner
portal. Select the customer and click Actions > Modify or click the link to the customer.
In the customer or Enterprise portal, click Configure > Customer, and you can configure the
following settings.
VMware, Inc. 30
VMware SD-WAN Partner Guide
VMware, Inc. 31
VMware SD-WAN Partner Guide
Customer Capabilities
Only an Operator can activate or deactivate the capabilities. You can view the status of the
following capabilities. If you want to activate or deactivate any of the capabilities, contact your
Operator.
n Enable Segmentation
n CoS Mapping
Security Policy
When creating Edge-to-Edge IPSec tunnels, you can modify the security policy configuration
settings at the Customer Configuration level.
n Hash - By default, there is no authentication algorithm configured for the VPN header.
When you select the Turn off GCM checkbox, you can select one of the following as the
authentication algorithm for the VPN header, from the drop-down list:
n SHA 1
n SHA 256
n SHA 384
n SHA 512
n Encryption - AES 128-Galois/Counter Mode (GCM), AES 256-GCM, AES 128-Cipher Block
Chaining (CBC) and AES 256-CBC are the encryption algorithms modes used to provide
confidentiality. Select either AES 128 or AES 256 as the AES algorithms key size to encrypt
data. The default encryption algorithm mode is AES 128-GCM, when the Turn off GCM
checkbox is not selected.
n DH Group - Select the Diffie-Hellman (DH) Group algorithm to be used when exchanging a
pre-shared key. The DH Group sets the strength of the algorithm in bits. The supported DH
Groups are 2, 5, 14, 15, and 16. It is recommended to use DH Group 14.
n PFS - Select the Perfect Forward Secrecy (PFS) level for additional security. The supported
PFS levels are 2, 5, 14, 15, and 16. By default, PFS is deactivated.
n Turn off GCM - By default, AES 128-GCM is enabled. If required, select the checkbox to turn
off this mode, which in turn enables AES 128-CBC mode.
VMware, Inc. 32
VMware SD-WAN Partner Guide
n IPsec SA Lifetime - Time when Internet Security Protocol (IPSec) rekeying is initiated for
Edges. The minimum IPsec life time is 3 minutes and maximum is 480 minutes. The default
value is 480 minutes.
n IKE SA Lifetime - Time when Internet Key Exchange (IKE) rekeying is initiated for Edges. The
minimum IKE life time is 10 minutes and maximum is 1440 minutes. The default value is 1440
minutes.
Note It is recommended not to configure low life time values for IPsec (less than 10 minutes)
and IKE (less than 30 minutes) as it can cause traffic interruption in some deployments due to
rekeys. The low life time values can be used only for debugging purposes.
n Secure Default Route Override – Select the checkbox to ensure that the traffic from the
Edge is routed based on the Network Service configured for the Business Policy rule, even
when secure routing (either Static Route or BGP Route) is enabled on the Edge.
Note When you modify the security settings, the changes may cause interruptions to the
current services. In addition, these settings may reduce overall throughput and increase the time
required for VCMP tunnel setup, which may impact branch to branch dynamic tunnel setup times
and recovery from Edge failure in a cluster.
Service Access
Choose the services the customer can access along with the roles and permissions available for
the selected service. See Configure Service Access.
Note If Edge Network Intelligence service is enabled for a customer, ensure not to select
the Self Healing checkbox as the Self Healing feature is not completely supported in the 5.0.0
release.
Gateway Pool
The current Gateway pool associated with the selected customer is displayed. If required, you
can choose a different Gateway pool from the available list.
If the Gateways available in the Gateway pool have been assigned with Partner Gateway role,
you can handoff the Gateways to partners. Select the Enable Partner Handoff to configure the
handoff options for the segments and Gateways. For more information, see Configure Partner
Handoff.
Maximum Segments
Displays the maximum number of segments configured by the Operator.
VMware, Inc. 33
VMware SD-WAN Partner Guide
For more information on Distributed Cost Calculation, refer to the Configure Distributed
Cost Calculation section in the VMware SD-WAN Operator Guide available at: https://
docs.vmware.com/en/VMware-SD-WAN/index.html.
Note To enable the Distributed Cost Calculation feature for your customers, contact the
support team.
Edge NFV
Displays whether the customers are allowed to deploy third party Virtual Network Functions
(VNF) on service ready Edge platforms.
If you want a Partner Customer to manage Edge software images then you have to enable
the Delegate Edge Software Image Management checkbox. Once you enable Delegate Edge
Software Image Management and click Save Changes, all the assigned software images for the
Partner Customer appears. Click Modify to add or remove a software image for the selected
customer.
Note You can remove an assigned image from a Partner Customer only if the image is not a
default image and it is not currently used by any edges within the Partner Customer.
For more information, see the Edge Software Image Management section in the VMware
SD-WAN Administration Guide available at https://docs.vmware.com/en/VMware-SD-WAN/
index.html.
Other Settings
This option is available only when you have the User Agreement feature activated by your
Operator. For the selected customer, you can change the user agreement default settings using
the following options:
n User Agreement Display - Select the relevant option from the list to override the default
display settings of the User Agreement. By default, the customer inherits the display mode
set in the System Properties.
VMware, Inc. 34
VMware SD-WAN Partner Guide
n User Agreement - Select the user agreement from the list that you want to display for the
customer. By default, the customer inherits the default user agreement.
Procedure
2 Select a customer and click Actions > Modify or click the link to the customer.
VMware, Inc. 35
VMware SD-WAN Partner Guide
4 In the Customer Configuration page, the Service Access section displays the existing
services configured for the selected customer. If required, you can modify the settings.
n SD-WAN - The customer can access the SD-WAN services. When you select this service,
the following options are available:
Option Description
Default Edge Authentication Choose the default option to authenticate the Edges
associated to the customer, from the drop-down list.
n Certificate Deactivated: Edge uses a pre-shared
key mode of authentication.
n Certificate Acquire: This option is selected by
default and instructs the Edge to acquire a
certificate from the certificate authority of the
SD-WAN Orchestrator, by generating a key pair
and sending a certificate signing request to the
Orchestrator. Once acquired, the Edge uses the
certificate for authentication to the SD-WAN
Orchestrator and for establishment of VCMP
tunnels.
VMware, Inc. 36
VMware SD-WAN Partner Guide
n Edge Network Intelligence – You can select this option only when SD-WAN is selected.
When you select this service, the Edge Network Intelligence Configuration is available.
Enter the maximum number of Edges that can be provisioned as Analytics Edge in the
Nodes field. By default, Unlimited is selected.
Note This option is available only when the Analytics feature is activated on your
SD-WAN Orchestrator.
If Edge Network Intelligence service is enabled for a customer, you can activate
Self-Healing capability at the Customer level by selecting the Self Healing checkbox.
For more information, see the Self-Healing Overview section in the VMware Edge
Network Intelligence User Guide published at https://docs.vmware.com/en/VMware-
Edge-Network-Intelligence/index.html.
n Cloud Web Security – You can select this service only when a SASE PoP Gateway
Pool is selected. Cloud Web Security is a cloud hosted service that protects users and
infrastructure accessing SaaS and Internet applications. For more information, see the
VMware Cloud Web Security Configuration Guide.
n Secure Access – You can select this service only when a SASE PoP Gateway Pool is
selected. Secure Access solution combines the VMware SD-WAN and Workspace ONE
services to provide a consistent, optimal, and secure cloud application access through a
network of worldwide managed service nodes. For more information, see the VMware
Secure Access Configuration Guide.
n Global Settings - By default, Global Settings is selected. This Service Configuration
provide privileges to user management and settings that are shared across all services.
You can choose the services that the customer can access along with the Global Settings
(roles and permissions).
In the General Configuration, enter the domain name to be used to activate Single Sign-On
(SSO) Authentication for the Orchestrator. This is also required to activate Edge Network
Intelligence for the customer.
Ensure that the Gateway to be handed off is assigned with Partner Gateway Role. In the Partner
portal, click Gateways and click the link to an existing Gateway. In the Properties section of the
selected Gateway, you can enable the Partner Gateway role.
VMware, Inc. 37
VMware SD-WAN Partner Guide
n Select the customer and click Actions > Modify or click the link to the customer.
n In the Customer Configuration, navigate to the Gateway Pool section and select the Enable
Partner Handoff checkbox.
n The Community mapping is set to all the segments by default. If you want to configure the
Community attributes for a specific segment, choose Per Segment, and select the Segment
from the drop-down list.
VMware, Inc. 38
VMware SD-WAN Partner Guide
n Select Community Additive checkbox to enable the additive option associated with a
particular auto community configuration. This option preserves the incoming community
attributes for a prefix received from the overlay and appends the configured auto community
to the prefix, on the Partner Gateway. As a result, the MPLS PE side receives prefixes with all
the community attributes including the auto community attributes.
n Enter the Community attributes in the Community and Community 2 fields. Click the Plus(+)
Icon to add more community attributes.
n By default, the handoff configuration is applied to all the Segments. If you want to configure a
specific Segment, select the Segment from the drop-down list.
n For configuring all the Gateways, click the Edit option. If you have selected a particular
Gateway, click the Click here to configure link.
The Hand Off Details window appears and you can configure the options show in the image
below. See the table below for a description of the Hand Off Details options.
VMware, Inc. 39
VMware SD-WAN Partner Guide
Option Description
Tag Type Choose the tag type which is the encapsulation in which
the Gateway hands off customer traffic to the Router. The
following are the types of tags available:
n None– Untagged. Choose this during single tenant
handoff or a handoff towards shared services VRF.
n 802.1q – Single VLAN tag.
n 802.1ad / QinQ(0x8100) / QinQ(0x9100) – Dual
VLAN tag.
VMware, Inc. 40
VMware SD-WAN Partner Guide
Option Description
Transport LAN VLAN This option is available only when you choose the tag
type as 802.1ad / QinQ(0x8100) / QinQ(0x9100). Choose
the type of tag to configure the transport VLANs.
Local IP Address Enter the Local IP address for the logical Handoff
interface.
Use for Private Tunnels Select the checkbox so that private WAN links connect
to the private IP address of the Partner Gateway. If
private WAN connectivity is enabled on a Gateway, the
Orchestrator audits to ensure that the local IP address is
unique for each Gateway within an enterprise.
Advertise via BGP Select the checkbox to automatically advertise the private
WAN IP of the Partner Gateway through BGP. The
connectivity is provided using the existing Local IP
address.
Subnets Enter the IP address of the Static Route Subnet that the
Gateway should advertise to the Edge.
BFD
Enable BFD Select the checkbox to enable BFD subscription for BGP
neighbors and to configure the BFD settings.
Peer Address Enter the IP address of the remote peer to initiate a BFD
session.
Local Address Enter a locally configured IP address for the peer listener.
This address is used to send the packets.
VMware, Inc. 41
VMware SD-WAN Partner Guide
Option Description
BGP
Enable BGP Select the checkbox to enable BGP and set up the BGP
configuration.
Secure BGP Routes Select the checkbox to enable encryption for data-
forwarding over BGP routes.
BGP Inbound/Outbound Filters – Click the plus(+) Icon to add more Filters.
Exact Match Select the checkbox for matching the attributes exactly.
VMware, Inc. 42
VMware SD-WAN Partner Guide
Option Description
Set You can set the values of the attributes for the routes
matching the filter criteria.
Choose from the following attributes, and enter the
corresponding values to be set for the matching routes:
n None – The attributes of the matching routes remain
the same.
n Local Preference
n Community – You can also enable the Community
Additive option.
n Metric
n AS-Path-Prepend
Route Summarization
Note Route Summarization is a feature that helps to keep overall routing manageable. This feature is available in the
5.1 release in the Classic Orchestrator UI only.
Keep Alive Enter the BGP Keep Alive time in seconds. The default
timer is 60 seconds.
Hold Timers Enter the BGP Hold time in seconds. The default timer is
180 seconds.
Turn off AS-PATH Carry Over Select the checkbox to turn off AS-PATH carry over,
which influences the outbound AS-PATH to make the L3-
routers prefer a path towards a PE. If you select this
option, ensure to tune your network to avoid routing
loops. It is recommended not to select this checkbox.
Click Update to save the settings. In addition, click Save Changes in the Customer Configuration
page to activate the settings.
When you create a new Customer, you are redirected to the Customer Configuration page,
where you can configure the Customer settings. You can also navigate to the Configuration page
by following the below steps:
VMware, Inc. 43
VMware SD-WAN Partner Guide
Procedure
1 In the Partner portal, select a Partner Customer, and from the top header, click SD-WAN >
Global Settings.
VMware, Inc. 44
VMware SD-WAN Partner Guide
2 From the left menu, click Customer Configuration. The following page is displayed:
VMware, Inc. 45
VMware SD-WAN Partner Guide
n SD-WAN
n Secure Access
Click the Turn On button to activate each service. Click the vertical ellipsis present at the
top right corner of each tile to turn off or configure the that service. You can also use the
Configure option present at the bottom right corner of each tile to configure the respective
service. Each tile displays the configuration summary.
Note When you select Turn off option, a pop-up window appears asking for your
confirmation. Select the check box and click Turn Off Service.
a SD-WAN: Clicking the Configure option displays the following pop-up window. Configure
the settings, and then click Update.
VMware, Inc. 46
VMware SD-WAN Partner Guide
Option Description
Domain Enter the domain name to be used to activate Single Sign On (SSO) authentication for
the Orchestrator. This is also required to activate Edge Network Intelligence for the
Customer.
Default Edge Choose the default option to authenticate the Edges associated to the Customer, from
Authentication the drop-down menu.
n Certificate Deactivated: Edge uses a pre-shared key mode of authentication.
n Certificate Acquire: This option is selected by default and instructs the Edge to
acquire a certificate from the certificate authority of the SD-WAN Orchestrator, by
generating a key pair and sending a certificate signing request to the Orchestrator.
Once acquired, the Edge uses the certificate for authentication to the SD-WAN
Orchestrator and for establishment of VCMP tunnels.
Note After acquiring the certificate, the option can be updated to Certificate
Required.
n Certificate Required: Edge uses the PKI certificate. You can change the
certificate renewal time window for Edges using the system property
edge.certificate.renewal.window.
Edge Licensing The existing Edge Licenses are displayed. Click Add to add or remove the licenses.
Note The license types can be used on multiple Edges. It is recommended to provide
your Customers with access to all types of licenses to match their edition and region.
For more information, see Edge Licensing with New Orchestrator UI.
Allow Customer to Select the check box if you want to allow an Enterprise Super User to manage the
Manage Software software images available for the Enterprise.
VMware, Inc. 47
VMware SD-WAN Partner Guide
Option Description
Operator Profile Select an Operator profile to be associated with the Customer from the available
drop-down menu. This field is not available if Allow Customer to Manage Software is
selected. For more information on Operator profiles, see the "Manage Operator Profiles
with New Orchestrator UI" section in the VMware SD-WAN Operator Guide available at
VMware SD-WAN Documentation.
Maximum Number Enter the maximum number of segments that can be configured. The valid range is 1 to
of Segments 16.The default value is 16.
b Edge Network Intelligence: Clicking the Configure option displays the following pop-up
window. Configure the settings, and then click Update.
Note You can select this option only when SD-WAN service is turned on.
Option Description
Domain Enter the domain name to be used to activate Single Sign On (SSO) authentication for the
Orchestrator. This is also required to activate Edge Network Intelligence for the Customer.
Analytics Nodes Enter the maximum number of Edges that can be provisioned as Analytics Nodes. By
default, Unlimited is selected.
Feature Access Select the Self Healing check box to allow the Edge Network Intelligence to provide
recommendations to improve performance.
VMware, Inc. 48
VMware SD-WAN Partner Guide
c Cloud Web Security: This service is available only when you select a Gateway Pool with
an activated Cloud Web Security role. Cloud Web Security is a cloud hosted service
that protects users and infrastructure accessing SaaS and Internet applications. For
more information, see the VMware Cloud Web Security Configuration Guide. Clicking the
Configure option displays the following pop-up window:
Select the required edition, and then click Update. Standard Edition includes URL filtering,
SSL inspection, Anti-virus, Authentication, Basic Sandbox, Inline CASB Visibility. Advanced
Edition includes URL filtering, SSL inspection, Anti-virus, Authentication, Basic Sandbox,
Inline CASB Visibility and Controls, Inline DLP Visibility and Controls
d Secure Access: This service is available only when you select a Gateway Pool with an
activated Cloud Web Security role. Secure Access solution combines the VMware SD-
WAN and Workspace ONE services to provide a consistent, optimal, and secure cloud
application access through a network of worldwide managed service nodes. For more
information, see the VMware Secure Access Configuration Guide. Clicking the Configure
option displays the following pop-up window:
VMware, Inc. 49
VMware SD-WAN Partner Guide
3 Following are the additional configuration settings available on the Customer Configuration
page:
Option Description
Global
User Agreement Display Select either of the following from the drop-down
menu:
n Inherit
n Override to Hide
n Override to Show
Note
Feature Access Select the check box to allow the Customer to access
the selected feature.
Delegate Management To Customer Select the check box to allow the Customer to modify
the settings of the selected property.
Gateway Pool
Current Gateway Pool Select the Gateway pool from the drop-down menu.
Gateways in this Pool Displays the Gateway details in the current pool.
Partner Hand Off Activating this option displays the Configure Hand Off
section. For details, see Configure Hand Off.
Security Policy
VMware, Inc. 50
VMware SD-WAN Partner Guide
Option Description
Turn off GCM Select this check box to activate Hash and select an
authentication algorithm for the VPN header.
IPSec SA Lifetime Time(min) Time when Internet Security Protocol (IPSec) rekeying
is initiated for Edges. The minimum IPsec lifetime is 3
minutes and maximum IPsec lifetime is 480 minutes.
The default value is 480 minutes.
Secure Default Route Override Select the check box so that the destination of traffic
matching a secure default route (either Static Route or
BGP Route) from a Partner Gateway can be overridden
using Business Policy.
Edge NFV Select this option to activate the ability to deploy VNFs
on Edges. After deploying one or more VNFs on Edges,
you cannot deactivate this option.
SD-WAN Settings
VMware, Inc. 51
VMware SD-WAN Partner Guide
Option Description
Multiple-DSCP tags per Flow Path Calculation Select the check box to include the DSCP value as part
of flow look-up.
Feature Access Select the Stateful Firewall check box to override the
Stateful Firewall settings activated on the Enterprise
Edge.
Note When you modify the Security Policy settings, the changes may cause interruptions to
the current services. In addition, these settings may reduce overall throughput and increase
the time required for VCMP tunnel setup, which may impact branch to branch dynamic tunnel
setup times and recovery from Edge failure in a cluster.
VMware, Inc. 52
VMware SD-WAN Partner Guide
Procedure
Option Description
Hand Off Interface This section displays the values that are configured on
the Configure BGP and BFD page.
Customer BGP Priority Select the check box and configure the Community
Mapping details.
VMware, Inc. 53
VMware SD-WAN Partner Guide
2 Click Configure BGP and BFD link, located at the bottom of the Per Customer Hand Off -
Global Segment section, to display the following page:
VMware, Inc. 54
VMware SD-WAN Partner Guide
Option Description
Hand Off Interface: You can configure the following settings for IPv4 and IPv6.
Local IP Address Enter the Local IP address for the logical Handoff
interface.
Use for Private Tunnels Select the check box so that private WAN links
connect to the private IP address of the Partner
Gateway. If private WAN connectivity is activated on
a Gateway, the Orchestrator audits to ensure that the
local IP address is unique for each Gateway within an
Enterprise.
Advertise Local IP Address via BGP Select the check box to automatically advertise the
private WAN IP of the Partner Gateway through BGP.
The connectivity is provided using the existing Local IP
address.
Subnets Enter the IP address of the Static Route Subnet that the
Gateway should advertise to the Edge.
Description Enter a descriptive text for the static route. This field is
optional.
VMware, Inc. 55
VMware SD-WAN Partner Guide
Option Description
Secure BGP Routes Select the check box to allow encryption for data-
forwarding over BGP routes.
Keep Alive Enter the BGP Keep Alive time in seconds. The default
timer is 60 seconds.
VMware, Inc. 56
VMware SD-WAN Partner Guide
Option Description
Hold Timers Enter the BGP Hold time in seconds. The default timer is
180 seconds.
Turn off AS-PATH Carry Over Select the check box to turn off AS-PATH carry over,
which influences the outbound AS-PATH to make the
L3-routers prefer a path towards a PE. If you select this
option, ensure to tune your network to avoid routing
loops. It is recommended not to select this check box.
Procedure
1 In the Partner portal, go to Customers & Partners > Manage Partner Customers.
Note You can also navigate to this page from the Operator portal, by clicking the link under
the Partner column of a corresponding Customer. However, a Partner user does not have the
same privileges as that of an Operator.
VMware, Inc. 57
VMware SD-WAN Partner Guide
Option Description
New Customer Click this option to add a new Customer. For more
information, see Create New Partner Customer with
New Orchestrator UI.
For more information, see Bastion Orchestrator Configuration Guide available at https://
docs.vmware.com/en/VMware-SD-WAN/index.html.
Option Description
Assign Software/Firmware Image Click this option, and then select a Software/Firmware
image from the drop-down menu to be added to all the
selected Enterprises.
Update Edge Image Management Activates or deactivates the Edge Image Management
feature for the selected customers.
Update Operator Alerts Activates or deactivates the Operator alerts for the
selected Customers.
Update Customer Alerts Activates or deactivates the Customer alerts for the
selected Customers.
VMware, Inc. 58
VMware SD-WAN Partner Guide
Option Description
Export All Customers Exports the details of all the Customers in the Operator
portal to a CSV file. The default separator used is
comma (,) and you can choose to replace the separator
with any other special character.
Export Customers Edge Inventory Exports the inventory details of all the Edges
associated with all the Customers to a CSV file. The
default separator used is a comma (,).
4 Following are the other options available in the Manage Customers area:
Option Description
Columns Click this option and select the checkboxes to view the required columns.
Procedure
1 In the Partner portal, navigate to Customers & Partners > Manage Partner Customers, and
then click New Customer.
a Customer Information:
VMware, Inc. 59
VMware SD-WAN Partner Guide
Note The Next button is activated only when you enter all the mandatory details.
Option Description
New Partner Support Access Select the checkbox to allow the new Partner to
view, configure, and troubleshoot the Customer's
Edges.
VMware, Inc. 60
VMware SD-WAN Partner Guide
Option Description
SASE User Management Access Select the checkbox to allow the VMware Support
to assist in User Management. The User Management
includes options to create users, reset password, and
configure other settings. In this case, the Support has
access to user identifiable information.
b Administrative Account:
Note The Next button is activated only when you enter all the mandatory details.
Option Description
VMware, Inc. 61
VMware SD-WAN Partner Guide
Option Description
Contact Email Enter the email address. The alerts on service status
are sent to this email address.
c Services:
VMware, Inc. 62
VMware SD-WAN Partner Guide
VMware, Inc. 63
VMware SD-WAN Partner Guide
Option Description
Allow Customer to Manage Software Select the checkbox if you want to allow an
Enterprise Super User to manage the software
images available for the Enterprise. Once selected,
the Software Image filed is displayed. Click Add
and in the Select Software/Firmware Images pop-
up window, select and assign the software/firmware
images from the available list for the Enterprise. Click
Done to add the selected images to the Software
Image list.
VMware, Inc. 64
VMware SD-WAN Partner Guide
Service Access: This option is available above the global settings. You can choose the
services that the Customer can access along with the roles and permissions available for
the selected service.
n SD-WAN - When you select this service, the following options are available:
Option Description
Edge Licensing Click Add and in the Select Edge Licenses pop-up
window, select and assign the Edge licenses from
the available list for the Enterprise.
VMware, Inc. 65
VMware SD-WAN Partner Guide
n Edge Network Intelligence: You can select this service only when SD-WAN is
selected. When you select this service, the following options are available:
Option Description
Note This option is available only when the Analytics feature is activated on your
SD-WAN Orchestrator. Use the following settings:
service.analytics.apiToken
service.analytics.analyticsEndpointDynamicIP
service.analytics.analyticsEndpointStaticIP
service.analytics.apiUrl
service.analytics.configEndpoint
n Cloud Web Security: You can select this service only when you select a Gateway
Pool with an activated Cloud Web Security role. Cloud Web Security is a
cloud hosted service that protects users and infrastructure accessing SaaS and
Internet applications. For more information, see the VMware Cloud Web Security
Configuration Guide.
n Secure Access: You can select this service only when you select a Gateway Pool with
an activated Cloud Web Security role. Secure Access solution combines the VMware
SD-WAN and Workspace ONE services to provide a consistent, optimal, and secure
cloud application access through a network of worldwide managed service nodes. For
more information, see the VMware Secure Access Configuration Guide.
2 Select the Add another Customer checkbox, or directly click Add Customer.
The new Customer name is displayed on the Customers page. You can click the Customer
name to navigate to the Enterprise portal and add configurations to the Customer. For more
information, see Configure Partner Customers with New Orchestrator UI
VMware, Inc. 66
Monitor Events
8
The Partner super user and Partner admin user can view the partner events.
The page displays the recent events. You can click the link to the events to view more details.
VMware, Inc. 67
VMware SD-WAN Partner Guide
To view the older events, you can click the drop-down menu at the top of the page and choose
the duration from the list. Alternatively, you can also enter the start and end dates at the top of
the page to set a custom duration.
Note The Events Page displays a maximum of 2048 Events. To view specific Events, you can
use the Filter option.
Once you choose or setup the duration, the page displays the events triggered during the
selected period.
n Search – Enter a term to search for a specific detail. Click the drop-down arrow to filter the
view by specific criteria. In the Filter, click the field next to Events to view the list of Partner
Events available and to filter by specific Events.
n Cols – Click and select the columns to be shown or hidden in the view.
n Refresh – Click to refresh the details displayed with the most current data.
You can also view the Partner events using the new Orchestrator UI.
n In the Partner portal, click Administration > Partner Events to view the events.
At the top of the page, you can choose a specific time period to view the details of events for the
selected duration.
VMware, Inc. 68
VMware SD-WAN Partner Guide
In the Search field, enter a term to search for specific details. Click the Filter Icon to filter the view
by a specific criteria. In the Filter, choose Event and click the drop-down arrow next to the field
to view the list of Partner Events available and to filter by specific Events.
Click the CSV option to download a report of the events in CSV format.
VMware, Inc. 69
Manage Partner Admin Users
9
The Admins page displays the existing partner admin users. A Partner Super User can create
new partner admin users with different role privileges and configure API tokens for each partner
admin.
n New Admin: Creates new partner admin users. See Create New Partner Admin.
n Modify Admin: Modifies the properties of the selected admin user. You can also click the link
to the username to modify the properties. See Configure Partner Admin Users.
n Password Reset: Sends an Email to the selected user with a link to reset the password.
Procedure
1 You can create new admin users by clicking either New Admin, or Actions > New Admin .
VMware, Inc. 70
VMware SD-WAN Partner Guide
a Enter the user details like username, password, Name, Email, and Phone numbers.
c From the Access Level drop-down list, select one of the following options:
n Basic—Allows the user to perform certain basic debug operations such as ping,
tcpdump, pcap, remote diagnostics, and so on. This is the default value.
n Privileged—Grants the user root-level access to perform all basic debug operations
along with Edge actions such as restart, deactivate, reboot, hard reset, and shutdown.
In addition, the user can access linux shell.
d Select the user role from the Account Role drop-down list. Once you select a role, the
Network and Security functions of the selected role, along with the description, are
displayed.
3 Click Create.
Results
The partner admin user details are displayed in the Admins page.
VMware, Inc. 71
VMware SD-WAN Partner Guide
In the Partner portal, click Admins. To configure an Admin user, click the link to a username or
select the user and click Actions > Modify Admin.
The existing properties of the selected user are displayed and if required, you can add or modify
the following:
Status – By default, the status is in Enabled state. If you choose Not Enabled, the user is logged
out of all the active sessions.
Type – If you have chosen the Partner authentication mode as Native in Configure Partner
Authentication , then the type of the user is selected as Native. If you have chosen a different
authentication mode, you can choose the type of the user. If you choose the user to be Non-
Native, then you cannot reset the password or modify the user role.
Property – The existing details such as name, email-id, telephone number, and mobile number of
the user are displayed. If needed, you can modify the user details, set a new password, or reset
the existing password.
n To set a new password, you must enter the current password correctly in the Current
Password textbox and the password to be changed in New Password and Confirm Password
textboxes.
VMware, Inc. 72
VMware SD-WAN Partner Guide
n To reset the existing password, click Password Reset. An email is sent to the user with a link
to reset the password.
Edge Access - The SSH UserName and existing Access Level assigned to the user to access the
Edge are displayed. If required, you can choose a different Access Level for the user, however,
you cannot modify the SSH UserName. Ensure that you have Super User role to modify the
Access Level for the user. Choose one of the following options:
n Basic—Allows the user to perform certain basic debug operations such as ping, tcpdump,
pcap, remote diagnostics, and so on.
n Privileged—Grants the user root-level access to perform all basic debug operations along
with Edge actions such as restart, deactivate, reboot, hard reset, and shutdown. In addition,
the user can access linux shell.
User Role – The existing type of the user role is displayed. If required, you can choose a different
role for the user. The role privileges change accordingly.
API Tokens
The users can access the Orchestrator APIs using tokens instead of session-based
authentication. As Partner Super User, you can manage the API tokens for your enterprise users.
You can create multiple API tokens for a user.
Any user can create tokens based on the privileges they have been assigned to their user roles,
except the Business Specialist users.
The users can perform the following actions, based on their roles:
n Enterprise users can Create, Download, and Revoke tokens for them.
n Partner Super users can manage tokens of Enterprise users, if the Enterprise user has
delegated user permissions to the Partner.
n Partner Super users can only create and revoke the tokens for other users.
n Users can download only their own tokens and cannot download other users' tokens.
n In the API Tokens section, click Actions > New API Token, to create a new token.
n In the New API Token window, enter a Name and Description for the token, and choose the
Lifetime from the drop-down menu.
VMware, Inc. 73
VMware SD-WAN Partner Guide
n Click Create and the new token is displayed in the API Tokens grid.
n Initially, the status of the token is displayed as Pending. To download the token, select
the token, and click Actions > Download API Token. The status changes to Enabled, which
means that the API token can be used for API access.
n To deactivate a token, select the token and click Actions > Revoke API Token. The status of
the token is displayed as Revoked.
n When the Lifetime of the token is over, the status changes to Expired state.
Only the user who is associated with a token can download it and after downloading, the ID of
the token alone is displayed. You can download a token only once.
After downloading the token, the user can send it as part of the Authorization Header of the
request to access the Orchestrator API.
The following example shows a sample snippet of the code to access an API.
After modifying the settings and API Tokens, click Save Changes.
Similarly, you can configure additional properties and create API tokens for Partner Customers.
For more information, see the 'Configure Admin Users' section in the VMware SD-WAN
Administration Guide.
VMware, Inc. 74
Roles
10
The Orchestrator consists of two types of roles. The roles are categorized as follows:
n Composite Roles – The functional roles from different categories can be grouped to form a
composite role. For more information, see Composite Roles.
n Functional Roles
n Composite Roles
n Role Customization
Functional Roles
Functional Roles are defined as a set of privileges relevant to a functionality.
A functional role can be tagged to one or more of the following services: Global Settings,
SD-WAN, Secure Access, Cloud Web Security. These are the group of privileges required by
a user to carry a certain business process. For example, a Customer support role in SD-WAN is a
functional role required by an SD-WAN user to carry out various support activities. Every service
defines such roles based on business functionality that they want to support. These roles are
categorized as Global Settings, SD-WAN, Secure Access, Cloud Web Security functional roles.
By default, the Orchestrator consists of different functional roles that consist of role privileges
based on the requirements. If required, you can customize the role privileges of the functional
roles. For more information, see Role Customization.
Composite Roles
Composite roles are a group of functional roles combined from different functional categories.
VMware, Inc. 75
VMware SD-WAN Partner Guide
Partner Standard SD-WAN Partner Cloud Web Security Secure Access Global Settings
Admin Admin Partner Admin Partner Admin Partner Admin
Partner Security SD-WAN Security Cloud Web Security Secure Access Global Settings
Admin Partner Admin Partner Admin Partner Admin Partner Admin
Partner Network SD-WAN Partner Cloud Web Security Secure Access Global Settings
Admin Admin Partner Read Only Partner Read Only Partner Admin
Partner Superuser Full Access Full Access Full Access Full Access
Partner Customer SD-WAN Partner Cloud Web Security Secure Access Global Settings
Support Support Partner Read Only Partner Read Only Partner Support
You can assign the above roles to a user, while creating a new Partner user. See Create New
Partner Admin.
You can also map the composite role while configuring Single Sign on. See Configure Single Sign
On for Partner User.
To view the existing composite roles along with the description for your Enterprises, see Manage
Composite Roles.
To create a custom composite role for your Enterprises, see Create New Composite Roles.
You can also customize the role privileges of the functional roles. For more information, see Role
Customization.
n Once you log into the Orchestrator portal as an Operator user, the existing list of customers
is displayed in the Customers page. Click the link to a Customer to navigate to the Enterprise
portal.
VMware, Inc. 76
VMware SD-WAN Partner Guide
n The Roles window opens showing the list of existing roles for the selected Enterprise.
Note You can add, edit, or view the Composite roles only for an Enterprise user.
n Add Role - Creates a new custom role. See Create New Composite Roles.
n Edit Role - Allows you to edit only the Custom roles. You cannot edit the default roles.
Also, you cannot edit or view the settings of a Super user.
n Clone Role – Creates a new custom role, by cloning the existing settings from the
selected role. You cannot clone the settings of a Super user.
VMware, Inc. 77
VMware SD-WAN Partner Guide
n Delete Role – Deletes the selected role. You can delete only custom composite roles.
If the role is associated with any user, ensure that you have removed all the users
associated with the selected role, before deleting the role.
n Download CSV – Downloads the details of the user roles into a file in CSV format.
n In addition, you can click the Open icon ">>" before the Role link to view more details about
the Composite role.
Procedure
The User Management page appears showing the list of existing roles for the selected
Enterprise.
VMware, Inc. 78
VMware SD-WAN Partner Guide
3 In the Role Creation page that appears, enter the details for the new custom role as follows:
Note The Custom Role Creation section displays only functional roles for which the
customer has licenses.
Option Description
Global Settings & Administration These functional roles provide privileges to user
management and global settings that are shared across
all services. You must mandatorily choose a Global
Settings & Administration functional role to create a
Composite role. By default, Global Settings Enterprise
Read Only role is selected.
VMware, Inc. 79
VMware SD-WAN Partner Guide
Option Description
Cloud Web Security These functional roles will give a user different levels of
privileges around Cloud Web Security features. You can
optionally choose a Cloud Web Security function role.
The default value is No Privileges.
Secure Access These functional roles will give a user different levels
of privileges around Secure Access features. You can
optionally choose a Secure Access function role. The
default value is No Privileges.
4 Click Save.
Results
The new custom role appears in the User Management > Roles page. Click the link to the custom
role to view the settings. You can click Edit Role to modify the settings.
Role Customization
SD-WAN Orchestrator consists of roles with different set of privileges. As a Partner Super
user, you can assign a pre-defined role to other Partner users and your Enterprise users. Role
Customization allows you to customize the existing set of privileges for the Functional roles.
You can customize only the Functional roles and not the Composite roles. When you customize
a Functional role, the changes would impact the Composite roles that consist of the customized
Functional role. For more information, see Functional Roles.
n The customizations done at the Enterprise level will override the customizations made at the
Partner level.
n Only when there are no customizations done at the Enterprise level, the customizations made
by the Partner are applied across the all the users in the Partner portal.
Only an Operator super user can enable the Role Customization for a Partner super user. If the
Role Customization option is not available for you, contact your Operator.
n Show Current Privileges – Displays the current Functional role privileges. You can view the
privileges of all the Functional roles and download them in CSV format. For an Enterprise, it
displays the privileges of only functional roles for which the customer has licenses.
VMware, Inc. 80
VMware SD-WAN Partner Guide
n New Package – Enables to create a new package with customized role privileges. See Create
New Customized Package.
n Reset to System Default – Allows to reset the current role privileges to default settings. Only
the customized privileges applied to the Functional roles in the Partner portal are reset to
the default settings. If your customers have customized their Functional role privileges in the
Enterprise portal, those settings remain the same.
n Upload Package – Allows to upload a customized package. See Upload Customized Package.
n Modify Package – Enables to edit the customization settings in the selected package. You
can also click the link to the package to edit the settings.
n Delete Package – Removes the selected package. You cannot delete a package if it is
already in use.
n Apply Package – Applies the customization available in the selected package to the existing
Functional roles. This option modifies the role privileges only at the current level. If there are
customizations available at the Partner level or a lower level for the same role, then the lower
level takes precedence.
You can also click the Download Icon prior to the package name to download the package as a
JSON file.
Note Role customization packages are version dependent, and a package created on an
Orchestrator using an earlier software release will not be compatible with an Orchestrator using
a later release. For example, a role customization package created on an Orchestrator that is
running Release 3.4.x does not work properly if the Orchestrator is upgraded to a 4.x Release.
Also, a role customization package created on an Orchestrator running Release 3.4.x does not
work properly when the Orchestrator is upgraded to 4.x.x Release. In such cases, the user must
review and recreate the role customization package for the newer release to ensure proper
enforcement of all roles.
Procedure
VMware, Inc. 81
VMware SD-WAN Partner Guide
b In the Roles pane, select a Functional role and click Remove Privileges to customize the
privileges for the selected role.
Note For an Enterprise, the Roles pane displays the privileges of only functional roles for
which the customer has licenses.
Note You can only add or remove Deny Privileges, that is take away privileges from the
system default. You cannot grant additional privileges to a role using this option.
In the Assign Privileges window, select the features from the Available Deny Privileges
and move them to the Selected Deny Privileges pane.
VMware, Inc. 82
VMware SD-WAN Partner Guide
Note You can assign only Deny privileges to the Functional roles.
Click OK.
4 Repeat assigning privileges to the Functional roles in the Role Customization Package Editor
window.
VMware, Inc. 83
VMware SD-WAN Partner Guide
5 Select the Show Modified checkbox to filter and view the customized privileges. The changes
to the privileges are highlighted in a different color.
6 Click Create. You can click CSV to download the Functional role privileges of selected role, in
a CSV format.
7 The new package details are displayed in the Role Customization Packages window.
8 To edit the privileges, click the link to the package or select the package and click Actions
> Modify Package. In the Role Customization Package Editor window that opens, add or
remove Deny Privileges to the Functional roles in the package and click OK.
What to do next
Select the customized package and click Actions > Apply Package to apply the customization
available in the selected package to the existing Functional roles across the SD-WAN
Orchestrator.
VMware, Inc. 84
VMware SD-WAN Partner Guide
You can edit the Deny privileges in an applied package whenever required. After modifying the
privileges in the Role Customization Package Editor window, click OK to save and apply the
changes to the Functional roles.
Note You can download the customized Functional role privileges as a JSON file and upload
the customized package to another Orchestrator. For more information, see Upload Customized
Package.
You can download the already customized Functional role privileges as a package and upload
the package to another Orchestrator.
Procedure
2 Click the Download Icon prior to a package name, which downloads the package as a JSON
file.
3 Navigate to the Orchestrator to which you want to upload the customized package.
5 Choose the JSON file you have downloaded, and the package is uploaded automatically.
7 You can view the privileges in the uploaded package and add more Deny privileges. Click
the link to the package or select the package and click Actions > Modify Package. In the
Role Customization Package Editor window that opens, add or remove Deny privileges
to the Functional roles in the package and click OK. For more information on the Role
Customization Package Editor, see Create New Customized Package.
What to do next
Select the customized package and click Actions > Apply Package to apply the customization
available in the selected package to the existing Functional roles across the SD-WAN
Orchestrator.
VMware, Inc. 85
VMware SD-WAN Partner Guide
You can edit Deny privileges in an applied package whenever required. After modifying the
privileges in the Role Customization Package Editor window, click OK to save and apply the
changes to the Functional roles.
To view the events related to Role Customization, you can use the filter option. Click the drop-
down arrow next to the Search option and choose to filter by the Event column. The following
events are available for Role Customization:
The following table lists all the role privileges available in the Partner portal.
VMware, Inc. 86
VMware SD-WAN Partner Guide
n Customizable – Is the role privilege available for customization in the Role Customization
window?
Delete Customer No No
Manage Customer
Update Partner No No
Event
Delete Partner
Event
Manage Partner
Event
Update Partner No No
User
Manage Partner
User
Update Partner
Token
Delete Partner
Token
Manage Partner
Token
VMware, Inc. 87
VMware SD-WAN Partner Guide
Read Role
Customization
Package
Update Role
Customization
Package
Delete Role
Customization
Package
Manage Role
Customization
Package
Partner Settings Read Customer Grants ability to view and Yes Yes Yes
> General Delegation manage the delegation of
Information > privileges from the customer
Privacy Settings to Partners or the Operator
Update Customer No
Delegation
Partner Settings > Create Partner Grants ability to view and edit Yes No No
Authentication Authentication Partner authentication mode
and associated configuration
Read Partner
Authentication
Update Partner
Authentication
Delete Partner
Authentication
Manage Partner
Authentication
VMware, Inc. 88
VMware SD-WAN Partner Guide
Update Partner
Token
Delete Partner
Token
Manage Partner
Token
Update License
Delete License No No
Manage License
Gateway Pools Create Gateway Grants ability to view and Yes Yes Yes
Gateways manage Gateways, from the
Gateway Read Gateway Partner or Operator level
Diagnostic
Update Gateway
bundles
Delete Gateway
Manage Gateway
Read Partner
Delegation
Update Partner
Delegation
Delete Partner
Delegation
Manage Partner
Delegation
VMware, Inc. 89
User Management - Partner
11
The User Management feature allows you to manage users, their roles, service permissions, and
authentication.
As a Partner, you can access this feature from the Partner portal, by navigating to
Administration > User Management. The following screen is displayed:
The User Management window displays four tabs: Users, Roles, Service Permissions, and
Authentication.
n Users
n Roles
n Service Permissions
n Authentication
n Users
VMware, Inc. 90
VMware SD-WAN Partner Guide
n Roles
n Service Permissions
n Authentication
Users
As a Partner, you can view the list of existing users and their corresponding details. You can add,
modify, or delete a user. However, you cannot delete a default user.
2 From the left menu, click User Management, and then click the Users tab. The following
screen appears:
Option Description
New User Creates a new user. For more information, see Add
New User.
Download Click this option to download the details of all the users
into a file in CSV format.
VMware, Inc. 91
VMware SD-WAN Partner Guide
4 The following are the other options available in the Users tab:
Option Description
Search Enter a search term to search for the matching text across the table. Use the advanced search option
to narrow down the search results.
Columns Click and select the columns to be displayed or hidden on the page.
Refresh Click to refresh the page to display the most current data.
Procedure
2 From the left menu, click User Management, and then click the Users tab.
VMware, Inc. 92
VMware SD-WAN Partner Guide
Note The Next button is activated only when you enter all the mandatory details in each
section.
VMware, Inc. 93
VMware SD-WAN Partner Guide
Option Description
Role Select a role that you want to assign to the user. For
information on roles, see Roles.
5 Select the Add another user check box if you wish to create another user, and then click Add
User.
The new user appears in the User Management > Users page. Click the link to the user to
view or modify the details. As a Partner Administrator, you can manage the Roles, Service
Permissions, and API Tokens for the Partner users.
Note Partner Administrator should manually delete inactive Identity Provider (IdP) users
from the Orchestrator to prevent unauthorized access via API Token.
Roles
The Orchestrator consists of two types of roles. The roles are categorized as follows:
n Privileges – Privileges are a set of roles relevant to a functionality. A privilege can be tagged
to one or more of the following services: SD-WAN, Cloud Web Security, Secure Access, and
Global Settings. These are the group of privileges required by a user to carry out a certain
business process. For example, a Customer support role in SD-WAN is a privilege required by
an SD-WAN user to carry out various support activities. Every service defines such privileges
based on its supported business functionality.
n Roles – The privileges from various categories can be grouped to form a role. By default, the
following roles are available for a Partner user:
Partner Standard SD-WAN MSP Cloud Web Security Secure Access MSP Global Settings MSP
Admin Admin MSP Admin Admin Admin
Partner Security SD-WAN Security Cloud Web Security Secure Access MSP Global Settings MSP
Admin MSP Admin MSP Admin Admin Admin
Partner Network SD-WAN MSP Cloud Web Security Secure Access MSP Global Settings MSP
Admin Admin MSP Read Only Read Only Admin
VMware, Inc. 94
VMware SD-WAN Partner Guide
Partner Super user Full Access Full Access Full Access Full Access
Partner Customer SD-WAN MSP Cloud Web Security Secure Access MSP Global Settings MSP
Support Support MSP Read Only Read Only Support
If required, you can customize the role privileges. For more information, see Role
Customization.
As a Partner, you can view the list of existing standard roles and their corresponding
descriptions. You can add, edit, clone, or delete a new role. However, you cannot edit or delete a
default role.
2 From the left menu, click User Management, and then click the Roles tab. The following
screen appears:
Option Description
Add Role Creates a new custom role. For more information, see
Add Role.
Edit Allows you to edit only the custom roles. You cannot
edit the default roles. Also, you cannot edit or view the
settings of a Super user.
VMware, Inc. 95
VMware SD-WAN Partner Guide
Option Description
Delete Role Deletes the selected role. You cannot delete the default
roles. You can delete only custom composite roles.
Ensure that you have removed all the users associated
with the selected role, before deleting the role.
Download CSV Downloads the details of the user roles into a file in CSV
format.
Note You can also access the Edit, Clone Role, and Delete Role options from the vertical
ellipsis of the selected Role.
4 Click the Open icon ">>" displayed before the Role link, to view more details about the
selected Role, as shown below:
5 Click the View Role link to view the privileges associated to the selected role for the following
services:
n SD-WAN
n Secure Access
6 The following are the other options available in the Roles tab:
Option Description
Search Enter a search term to search for the matching text across the table. Use the advanced search option
to narrow down the search results.
Columns Click and select the columns to be displayed or hidden on the page.
Refresh Click to refresh the page to display the most current data.
VMware, Inc. 96
VMware SD-WAN Partner Guide
Add Role
To add a new role for a Partner, perform the following steps:
Procedure
2 From the left menu, click User Management, and then click the Roles tab.
VMware, Inc. 97
VMware SD-WAN Partner Guide
VMware, Inc. 98
VMware SD-WAN Partner Guide
Option Description
Role Details
Role Creation
Global Settings & Administration These privileges provide access to user management
and global settings that are shared across all services.
Choosing this privilege is mandatory. By default, Global
Settings MSP Support is selected.
Cloud Web Security These privileges provide the user with different levels
of access around Cloud Web Security features. You can
optionally choose a Cloud Web Security privilege. The
default value is No Privileges.
Secure Access These privileges provide the user with different levels
of access around Secure Access features. You can
optionally choose a Secure Access function privilege.
The default value is No Privileges.
The new custom role appears in the User Management > Roles page of the user, depending
on the selected Scope. Click the link to the custom role to view the settings.
Service Permissions
Users can have different roles and every role can have a specific privilege bundle for every
service in the Orchestrator. As a Partner, you can assign a pre-defined role to a user. Service
Permissions feature allows you to customize the privilege bundles for various services.
VMware, Inc. 99
VMware SD-WAN Partner Guide
You can customize only the privilege bundles and not the roles. When you customize a privilege
bundle, the changes would impact the roles associated with it. For more information, see Roles.
n The customizations done at the Enterprise level override the Partner or Operator level
customizations.
n The customizations done at the Partner level override the Operator level customizations.
n Only when there are no customizations done at the Partner level or Enterprise level,
the customizations made by the Operator are applied globally across all users in the
Orchestrator.
2 From the left menu, click User Management, and then click the Service Permissions tab. The
following screen appears:
3 On the Service Permissions screen, you can perform the following activities:
Option Description
New Permission Allows you to create a new permission. You can create
only one permission for a Privilege Bundle. For more
information, see New Permission.
4 The following are the other options available in the Service Permissions tab:
Option Description
Columns Click and select the columns to be displayed or hidden on the page.
Note The Role Associated column displays the Roles using the same Privilege Bundle.
Refresh Click to refresh the page to display the most current data.
New Permission
You can create a customized permission and apply the permission to the existing privilege in the
SD-WAN Orchestrator.
Procedure
2 From the left menu, click User Management, and then click the Service Permissions tab.
Option Description
Option Description
5 Click Download CSV to download the list of all privileges into a file in CSV format.
6 Click Save to save the new permission. Click Save and Apply to save and publish the
permission.
Note The Save and Save and Apply buttons are activated only when you modify the
permissions.
Authentication
The Authentication feature allows you to set the authentication mode for a Partner and an
Enterprise user.
2 From the left menu, click User Management, and then click the Authentication tab. The
following screen appears:
Partner Authentication
n Local: This is the default option and does not require any additional configuration.
n Single Sign-On: Single Sign-On (SSO) is a session and user authentication service that
allows SD-WAN Orchestrator users to log in to the SD-WAN Orchestrator with one set of
login credentials to access multiple applications. Integrating the SSO service with SD-WAN
Orchestrator improves the security of user authentication for SD-WAN Orchestrator users
and enables SD-WAN Orchestrator to authenticate users from other OpenID Connect (OIDC)-
based Identity Providers (IDPs).
To enable Single Sign On (SSO) for SD-WAN Orchestrator, you must configure an Identity
Provider (IDP) with details of SD-WAN Orchestrator. Currently, the following IDPs are
supported. Click each of the following links for step-by-step instructions to configure an
OpenID Connect (OIDC) application for SD-WAN Orchestrator in various IDPs:
You can configure the following options when you select the Authentication Mode as Single
Sign-on.
Option Description
Identity Provider Template From the drop-down menu, select your preferred
Identity Provider (IDP) that you have configured for
Single Sign On.
Organization Id This field is available only when you select the VMware
CSP template. Enter the Organization ID provided by
the IDP in the format: /csp/gateway/am/api/orgs/<full
organization ID>. When you sign in to VMware CSP
Option Description
OIDC well-known config URL Enter the OpenID Connect (OIDC) configuration URL
for your IDP. For example, the URL format for Okta
will be: https://{oauth-provider-url}/.well-known/
openid-configuration.
JSON Web KeySet URI This field is auto-populated based on your selected IDP.
User Information Endpoint This field is auto-populated based on your selected IDP.
Client Secret Enter the client secret code provided by your IDP, that
is used by the client to exchange an authorization code
for a token.
Role Attribute Enter the name of the attribute set in the IDP to return
roles.
Partner Role Map Map the IDP-provided roles to each of the Partner user
roles.
Click Update to save the entered values. The SSO authentication setup is complete in the
SD-WAN Orchestrator.
SSH Keys
You can create only one SSH Key per user. Click the User Information icon located at the top
right of the screen, and then click My Account > SSH Keys to create an SSH Key.
Click the Refresh option to refresh the section to display the most current data.
Session Limits
Note To view this section, an Operator user must navigate to Orchestrator > System Properties,
and set the value of the system property session.options.enableSessionTracking to True.
Option Description
Concurrent logins Allows you to set a limit on concurrent logins per user.
By default, Unlimited is selected, indicating that unlimited
concurrent logins are allowed for the user.
Session limits for each role Allows you to set a limit on the number of concurrent
sessions based on user role. By default, Unlimited is
selected, indicating that unlimited sessions are allowed for
the role.
Prerequisites
Procedure
c In the Name field, enter the name for your SD-WAN Orchestrator application.
d In the Redirect URL field, enter the redirect URL that your SD-WAN Orchestrator
application uses as the callback endpoint.
e Click Register.
Your SD-WAN Orchestrator application will be registered and displayed in the All
applications and Owned applications tabs. Make sure to note down the Client ID/
Application ID to be used during the SSO configuration in SD-WAN Orchestrator.
f Click Endpoints and copy the well-known OIDC configuration URL to be used during the
SSO configuration in SD-WAN Orchestrator.
g To create a client secret for your SD-WAN Orchestrator application, on the Owned
applications tab, click on your SD-WAN Orchestrator application.
i Provide details such as description and expiry value for the secret and click Add.
The client secret will be created for the application. Note down the new client secret
value to be used during the SSO configuration in SD-WAN Orchestrator.
j To configure permissions for your SD-WAN Orchestrator application, click on your SD-
WAN Orchestrator application and go to API permissions > Add a permission.
k Click Microsoft Graph and select Application permissions as the type of permission for
your application.
n To add and save roles in the manifest, click on your SD-WAN Orchestrator application
and from the application Overview screen, click Manifest.
A web-based manifest editor opens, allowing you to edit the manifest within the portal.
Optionally, you can select Download to edit the manifest locally, and then use Upload to
reapply it to your application.
o In the manifest, search for the appRoles array and add one or more role objects as shown
in the following example and click Save.
Note The value property from appRoles must be added to the Identity Provider Role
Name column of the Role Map table, located in the Authentication tab, in order to map
the roles correctly.
{
"allowedMemberTypes": [
"User"
],
"description": "Standard Administrator who will have sufficient privilege
to manage resource",
"displayName": "Standard Admin",
"id": "18fcaa1a-853f-426d-9a25-ddd7ca7145c1",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "standard"
},
{
"allowedMemberTypes": [
"User"
],
"description": "Super Admin who will have the full privilege on SD-WAN
Orchestrator",
"displayName": "Super Admin",
"id": "cd1d0438-56c8-4c22-adc5-2dcfbf6dee75",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "superuser"
}
Note Make sure to set id to a newly generated Global Unique Identifier (GUID)
value. You can generate GUIDs online using web-based tools (for example, https://
www.guidgen.com/), or by running the following commands:
n Linux/OSX - uuidgen
c Click Users and groups and assign users and groups to the application.
d Click Submit.
Results
What to do next
Prerequisites
Procedure
Note If you are in the Developer Console view, then you must switch to the Classic UI view
by selecting Classic UI from the Developer Console drop-down list.
e Under the General Settings area, in the Application name text box, enter the name for
your application.
f Under the CONFIGURE OPENID CONNECT area, in the Login redirect URIs text box,
enter the redirect URL that your SD-WAN Orchestrator application uses as the callback
endpoint.
h On the General tab, click Edit and select Refresh Token for Allowed grant types, and click
Save.
Note down the Client Credentials (Client ID and Client Secret) to be used during the SSO
configuration in SD-WAN Orchestrator.
i Click the Sign On tab and under the OpenID Connect ID Token area, click Edit.
j From the Groups claim type drop-down menu, select Expression. By default, Groups
claim type is set to Filter.
k In the Groups claim expression textbox, enter the claim name that will be used in the
token, and an Okta input expression statement that evaluates the token.
l Click Save.
The application is setup in IDP. You can assign user groups and users to your SD-WAN
Orchestrator application.
a Go to Application > Applications and click on your SD-WAN Orchestrator application link.
b On the Assignments tab, from the Assign drop-down menu, select Assign to Groups or
Assign to People.
c Click Assign next to available user groups or users you want to assign the SD-WAN
Orchestrator application and click Done.
The users or user groups assigned to the SD-WAN Orchestrator application will be
displayed.
Results
What to do next
Prerequisites
Procedure
b In the Find Applications text box, search for “OpenId Connect” or “oidc” and then select
the OpenId Connect (OIDC) app.
c In the Display Name text box, enter the name for your application and click Save.
d On the Configuration tab, enter the Login URL (auto-login URL for SSO) and the Redirect
URI that SD-WAN Orchestrator uses as the callback endpoint, and click Save.
n Login URL - The login URL will be in this format: https://<Orchestrator URL>/
<Domain>/ login/doEnterpriseSsoLogin. Where, <Domain> is the domain name of
your Enterprise that you must have already set up to enable SSO authentication for
the SD-WAN Orchestrator. You can get the Domain name from the Enterprise portal >
Administration > System Settings > General Information page.
n Redirect URI's - The SD-WAN Orchestrator redirect URL will be in this format: https://
<Orchestrator URL>/login/ssologin/openidCallback. In the SD-WAN Orchestrator
application, at the bottom of the Authentication screen, you can find the redirect
URL link.
e On the Parameters tab, under OpenId Connect (OIDC), double click Groups.
f Configure User Roles with value “--No transform--(Single value output)” to be sent in
groups attribute and click Save.
g On the SSO tab, from the Application Type drop-down menu, select Web.
h From the Authentication Method drop-down menu, select POST as the Token Endpoint
and click Save.
Also, note down the Client Credentials (Client ID and Client Secret) to be used during the
SSO configuration in SD-WAN Orchestrator.
i On the Access tab, choose the roles that will be allowed to login and click Save.
b On the Application tab, from the Roles drop-down menu, on the left, select a role to be
mapped to the user.
Results
What to do next
Prerequisites
Note Currently, SD-WAN Orchestrator supports PingOne as the Identity Partner (IDP); however,
any PingIdentity product supporting OIDC can be easily configured.
Procedure
b On the My Applications tab, select OIDC and then click Add Application.
c Provide basic details such as name, short description, and category for the application
and click Next.
Also, note down the Discovery URL and Client Credentials (Client ID and Client Secret) to
be used during the SSO configuration in SD-WAN Orchestrator.
e Under SSO FLOW AND AUTHENTICATION SETTINGS, provide valid values for Start SSO
URL and Redirect URL and click Next.
f Under DEFAULT USER PROFILE ATTRIBUTE CONTRACT, click Add Attribute to add
additional user profile attributes.
g In the Attribute Name text box, enter group_membership and then select the Required
checkbox, and select Next.
h Under CONNECT SCOPES, select the scopes that can be requested for your SD-WAN
Orchestrator application during authentication and click Next.
i Under Attribute Mapping, map your identity repository attributes to the claims available
to your SD-WAN Orchestrator application.
Note The minimum required mappings for the integration to work are email,
given_name, family_name, phone_number, sub, and group_membership (mapped to
memberOf).
j Under Group Access, select all user groups that should have access to your SD-WAN
Orchestrator application and click Done.
The application will be added to your account and will be available in the My Application
screen.
Results
What to do next
Prerequisites
Sign in to VMware CSP console (staging or production environment) with your VMware account
ID. If you are new to VMware Cloud and do not have a VMware account, you can create one
as you sign up. For more information, see How do I Sign up for VMware CSP section in Using
VMware Cloud documentation.
Procedure
1 Contact the VMware Support Provider for receiving a Service invitation URL link to
register your SD-WAN Orchestrator application to VMware CSP. For information on how
to contact the Support Provider, see https://kb.vmware.com/s/article/53907 and https://
www.vmware.com/support/contacts/us_support.html.
n a Service definition uuid and Service role name to be used for Role mapping in
Orchestrator
2 Redeem the Service invitation URL to your existing Customer Organization or create a new
Customer Organization by following the steps in the UI screen.
You need to be an Organization Owner to redeem the Service invitation URL to your existing
Customer Organization.
3 After redeeming the Service invitation, when you sign in to VMware CSP console, you can
view your application tile under My Services area in the VMware Cloud Services page.
The Organization you are logged into is displayed under your username on the menu
bar. Make a note of the Organization ID by clicking on your username, to be used during
Orchestrator configuration. A shortened version of the ID is displayed under the Organization
name. Click the ID to display the full Organization ID.
4 Log in to VMware CSP console and create an OAuth application. For steps, see Use OAuth
2.0 for Web Apps. Make sure to set Redirect URI to the URL displayed in Configure
Authentication screen in Orchestrator.
Once OAuth application is created in VMware CSP console, make a note of IDP integration
details such as Client ID and Client Secret. These details will be needed for SSO configuration
in Orchestrator.
5 Log in to your SD-WAN Orchestrator application as Super Admin user and configure SSO
using the IDP integration details as follows.
b Click the General Information tab and in the Domain text box, enter the domain name for
your enterprise, if it is not already set.
Note To enable SSO authentication for the SD-WAN Orchestrator, you must set up the
domain name for your enterprise.
c Click the Authentication tab and from the Authentication Mode drop-down menu, select
SSO.
e In the Organization Id text box, enter the Organization ID (that you have noted down in
Step 3) in the following format: /csp/gateway/am/api/orgs/<full organization ID>.
f In the OIDC well-known config URL text box, enter the OpenID Connect (OIDC)
configuration URL (https://console.cloud.vmware.com/csp/gateway/am/api/.well-known/
openid-configuration) for your IDP.
g In the Client Id text box, enter the client ID that you have noted down from the OAuth
application creation step.
h In the Client Secret text box, enter the client secret code that you have noted down from
the OAuth application creation step.
i To determine user’s role in SD-WAN Orchestrator, select either Use Default Role or Use
Identity Provider Roles.
j On selecting the Use Identity Provider Roles option, in the Role Attribute text box, enter
the name of the attribute set in the VMware CSP to return roles.
k In the Role Map area, map the VMwareCSP-provided roles to each of the SD-WAN
Orchestrator roles, separated by using commas.
Roles in VMware CSP will follow this format: external/<service definition uuid>/<service
role name mentioned during service template creation>. Use the same Service definition
uuid and Service role name that you have received from your Support Provider.
7 Click Test Configuration to validate the entered OpenID Connect (OIDC) configuration.
The user is navigated to the VMware CSP website and allowed to enter the credentials. On
IDP verification and successful redirect to SD-WAN Orchestrator test call back, a successful
validation message will be displayed.
Results
You have completed integrating SD-WAN Orchestrator application in VMware CSP for SSO and
can access the SD-WAN Orchestrator application logging in to the VMware CSP console.
What to do next
n Within the organization, manage users by adding new users and assigning appropriate role
for the users. For more information, see the Identity & Access Management section in Using
VMware Cloud documentation.
Displays the Software/Firmware images assigned to the partner by the Operator. You can assign
the software images to your Enterprise customers from this list.
Gateway Pool
Displays the Gateway pools assigned to the partner by the Operator. You can assign the
Gateway pools to your Enterprise customers from this list.
Note To assign the software images and Gateway pools to a customer, see Create New Partner
Customer and Configure Customers.
2 In the new UI, click the Administration tab and go to Partner Configuration in the left
navigation pane.
The Partner Overview page with the following information appears for the selected Partner.
Field Description
Available Software Images Displays all the software images assigned to the Partner
by the Operator. You can assign the software images to
your Enterprise customers from this list.
n General Information– Configure the user details, configure privacy settings, and enter the
contact information. See Configure Partner Information.
n Authentication– Configure authentication mode and view the API tokens. See Configure
Partner Authentication .
In the Partner portal, click Settings. You can configure the following in the General Information
tab.
Privacy Settings – Select Grant Access to VeloCloud Support to grant access to the VMware
Support to view, configure, and troubleshoot the events and settings.
Option Description
Contact Info – The existing contact details are displayed in this section. If required, you can
modify the details.
In the Partner portal, click Settings > Authentication to configure the following:
Partner Authentication – Choose one of the following from the Authentication Mode.
n NATIVE – This is the default authentication mode and you can login to the Partner portal with
the native username and password. This mode does not require any configuration.
n SSO – Single Sign On (SSO) is a session and user authentication service that allows the users
to log into the Partner portal with one set of login credentials to access multiple applications.
For more information, see Configure Single Sign On for Partner User.
API Tokens – You can access the Orchestrator APIs using token-based authentication,
irrespective of the authentication mode. You can view the existing API tokens in this section.
The Partner Super User or the User associated with an API token can revoke the token. Select
the token and click Actions > Revoke . To create and download the API tokens, see API Tokens.
Single Sign On (SSO) is a session and user authentication service that allows SD-WAN
Orchestrator users to log in to the SD-WAN Orchestrator with one set of login credentials to
access multiple applications. Integrating the SSO service with SD-WAN Orchestrator improves
the security of user authentication for SD-WAN Orchestrator users and enables SD-WAN
Orchestrator to authenticate users from other OpenID Connect (OIDC)-based Identity Providers
(IDPs). The following IDPs are currently supported:
n Okta
n OneLogin
n PingIdentity
n AzureAD
n VMwareCSP
Prerequisites
n Before setting up the SSO authentication in SD-WAN Orchestrator, ensure you have set
up roles, users, and OpenID connect (OIDC) application for SD-WAN Orchestrator in your
preferred identity provider’s website. For more information, see Configure an IDP for Single
Sign On.
Procedure
1 Log in to the SD-WAN Orchestrator application as Partner super user, with your login
credentials.
2 Click Settings.
3 Click the General Information tab and in the Domain text box, enter the domain name for
your partner, if it is not already set.
Note To enable SSO authentication for the SD-WAN Orchestrator, you must set up the
domain name for your partner.
4 Click the Authentication tab and from the Authentication Mode drop-down menu, select
Single Sign-On.
5 From the Identity Provider template drop-down menu, select your preferred Identity
Provider (IDP) that you have configured for Single Sign On.
Note When you select VMwareCSP as your preferred IDP, ensure to provide your
Organization ID in the following format: /csp/gateway/am/api/orgs/<full organization ID>.
When you sign in to VMware CSP console, you can view the organization ID you are logged
into by clicking on your username. A shortened version of the ID is displayed under the
organization name. Click the ID to display the full organization ID.
You can also manually configure your own IDPs by selecting Others from the Identity
Provider template drop-down menu.
6 In the OIDC well-known config URL text box, enter the OpenID Connect (OIDC) configuration
URL for your IDP. For example, the URL format for Okta will be: https://{oauth-provider-
url}/.well-known/openid-configuration.
8 In the Client Id text box, enter the client identifier provided by your IDP.
9 In the Client Secret text box, enter the client secret code provided by your IDP, that is used
by the client to exchange an authorization code for a token.
n Use Default Role – Allows user to configure a static role as default by using the Default
Role text box that appears on selecting this option. The supported roles are: MSP
Superuser, MSP Standard Admin, MSP Support, and MSP Business.
Note In an SSO configuration setup, if Use Default Role option is selected and a default
user role is defined, then all the SSO user will be assigned the specified default role.
Instead of assigning a user with the default role, a Partner Super User can pre-register a
specific user as a Non-Native user and define a specific user role by using the Admins tab
in the Partner portal. For steps to configure a new Partner Administrator User, see Create
New Partner Admin.
n Use Identity Provider Roles – Uses the roles set up in the IDP.
11 On selecting the Use Identity Provider Roles option, in the Role Attribute text box, enter the
name of the attribute set in the IDP to return roles.
12 In the Role Map area, map the IDP-provided roles to each of the Partner user roles, separated
by using commas.
Roles in VMware CSP will follow this format: external/<service definition uuid>/<service role
name mentioned during service template creation>.
13 Update the allowed redirect URLs in OIDC provider website with SD-WAN Orchestrator URL
(https://<vco>/login/ssologin/openidCallback).
15 Click Test Configuration to validate the entered OpenID Connect (OIDC) configuration.
The user is navigated to the IDP website and allowed to enter the credentials. On IDP
verification and successful redirect to SD-WAN Orchestrator test call back, a successful
validation message will be displayed.
Results
What to do next
For step-by-step instructions to configure an OpenID Connect (OIDC) application for SD-WAN
Orchestrator in various IDPs, see:
Prerequisites
Procedure
Note If you are in the Developer Console view, then you must switch to the Classic UI view
by selecting Classic UI from the Developer Console drop-down list.
e Under the General Settings area, in the Application name text box, enter the name for
your application.
f Under the CONFIGURE OPENID CONNECT area, in the Login redirect URIs text box,
enter the redirect URL that your SD-WAN Orchestrator application uses as the callback
endpoint.
h On the General tab, click Edit and select Refresh Token for Allowed grant types, and click
Save.
Note down the Client Credentials (Client ID and Client Secret) to be used during the SSO
configuration in SD-WAN Orchestrator.
i Click the Sign On tab and under the OpenID Connect ID Token area, click Edit.
j From the Groups claim type drop-down menu, select Expression. By default, Groups
claim type is set to Filter.
k In the Groups claim expression textbox, enter the claim name that will be used in the
token, and an Okta input expression statement that evaluates the token.
l Click Save.
The application is setup in IDP. You can assign user groups and users to your SD-WAN
Orchestrator application.
a Go to Application > Applications and click on your SD-WAN Orchestrator application link.
b On the Assignments tab, from the Assign drop-down menu, select Assign to Groups or
Assign to People.
c Click Assign next to available user groups or users you want to assign the SD-WAN
Orchestrator application and click Done.
The users or user groups assigned to the SD-WAN Orchestrator application will be
displayed.
Results
What to do next
Procedure
3 Enter the group name and description for the group and click Save.
Procedure
3 Enter all the mandatory details such as first name, last name, and email ID of the user.
4 If you want to set the password, select Set by user from the Password drop-down menu and
enable Send user activation email now.
5 Click Save.
An activation link email will be sent your email ID. Click the link in the email to activate your
Okta user account.
Prerequisites
Procedure
b In the Find Applications text box, search for “OpenId Connect” or “oidc” and then select
the OpenId Connect (OIDC) app.
c In the Display Name text box, enter the name for your application and click Save.
d On the Configuration tab, enter the Login URL (auto-login URL for SSO) and the Redirect
URI that SD-WAN Orchestrator uses as the callback endpoint, and click Save.
n Login URL - The login URL will be in this format: https://<Orchestrator URL>/
<Domain>/ login/doEnterpriseSsoLogin. Where, <Domain> is the domain name of
your Enterprise that you must have already set up to enable SSO authentication for
the SD-WAN Orchestrator. You can get the Domain name from the Enterprise portal >
Administration > System Settings > General Information page.
n Redirect URI's - The SD-WAN Orchestrator redirect URL will be in this format: https://
<Orchestrator URL>/login/ssologin/openidCallback. In the SD-WAN Orchestrator
application, at the bottom of the Authentication screen, you can find the redirect
URL link.
e On the Parameters tab, under OpenId Connect (OIDC), double click Groups.
f Configure User Roles with value “--No transform--(Single value output)” to be sent in
groups attribute and click Save.
g On the SSO tab, from the Application Type drop-down menu, select Web.
h From the Authentication Method drop-down menu, select POST as the Token Endpoint
and click Save.
Also, note down the Client Credentials (Client ID and Client Secret) to be used during the
SSO configuration in SD-WAN Orchestrator.
i On the Access tab, choose the roles that will be allowed to login and click Save.
b On the Application tab, from the Roles drop-down menu, on the left, select a role to be
mapped to the user.
Results
What to do next
Procedure
When you first set up a role, the Applications tab displays all the apps in your company
catalog.
4 Click an application to select it and click Save to add the selected apps to the role.
Procedure
2 Enter all the mandatory details such as first name, last name, and email ID of the user and
click Save User.
Prerequisites
Note Currently, SD-WAN Orchestrator supports PingOne as the Identity Partner (IDP); however,
any PingIdentity product supporting OIDC can be easily configured.
Procedure
b On the My Applications tab, select OIDC and then click Add Application.
c Provide basic details such as name, short description, and category for the application
and click Next.
Also, note down the Discovery URL and Client Credentials (Client ID and Client Secret) to
be used during the SSO configuration in SD-WAN Orchestrator.
e Under SSO FLOW AND AUTHENTICATION SETTINGS, provide valid values for Start SSO
URL and Redirect URL and click Next.
f Under DEFAULT USER PROFILE ATTRIBUTE CONTRACT, click Add Attribute to add
additional user profile attributes.
g In the Attribute Name text box, enter group_membership and then select the Required
checkbox, and select Next.
h Under CONNECT SCOPES, select the scopes that can be requested for your SD-WAN
Orchestrator application during authentication and click Next.
i Under Attribute Mapping, map your identity repository attributes to the claims available
to your SD-WAN Orchestrator application.
Note The minimum required mappings for the integration to work are email,
given_name, family_name, phone_number, sub, and group_membership (mapped to
memberOf).
j Under Group Access, select all user groups that should have access to your SD-WAN
Orchestrator application and click Done.
The application will be added to your account and will be available in the My Application
screen.
Results
What to do next
Procedure
3 In the Name text box, enter a name for the group and click Save.
Procedure
2 On the Users tab, click the Add Users drop-down menu and select Create New User.
3 Enter all the mandatory details such as username, password, and email ID of the user.
Prerequisites
Procedure
c In the Name field, enter the name for your SD-WAN Orchestrator application.
d In the Redirect URL field, enter the redirect URL that your SD-WAN Orchestrator
application uses as the callback endpoint.
e Click Register.
Your SD-WAN Orchestrator application will be registered and displayed in the All
applications and Owned applications tabs. Make sure to note down the Client ID/
Application ID to be used during the SSO configuration in SD-WAN Orchestrator.
f Click Endpoints and copy the well-known OIDC configuration URL to be used during the
SSO configuration in SD-WAN Orchestrator.
g To create a client secret for your SD-WAN Orchestrator application, on the Owned
applications tab, click on your SD-WAN Orchestrator application.
i Provide details such as description and expiry value for the secret and click Add.
The client secret will be created for the application. Note down the new client secret
value to be used during the SSO configuration in SD-WAN Orchestrator.
j To configure permissions for your SD-WAN Orchestrator application, click on your SD-
WAN Orchestrator application and go to API permissions > Add a permission.
k Click Microsoft Graph and select Application permissions as the type of permission for
your application.
n To add and save roles in the manifest, click on your SD-WAN Orchestrator application
and from the application Overview screen, click Manifest.
A web-based manifest editor opens, allowing you to edit the manifest within the portal.
Optionally, you can select Download to edit the manifest locally, and then use Upload to
reapply it to your application.
o In the manifest, search for the appRoles array and add one or more role objects as shown
in the following example and click Save.
Note The value property from appRoles must be added to the Identity Provider Role
Name column of the Role Map table, located in the Authentication tab, in order to map
the roles correctly.
{
"allowedMemberTypes": [
"User"
],
"description": "Standard Administrator who will have sufficient privilege
to manage resource",
"displayName": "Standard Admin",
"id": "18fcaa1a-853f-426d-9a25-ddd7ca7145c1",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "standard"
},
{
"allowedMemberTypes": [
"User"
],
"description": "Super Admin who will have the full privilege on SD-WAN
Orchestrator",
"displayName": "Super Admin",
"id": "cd1d0438-56c8-4c22-adc5-2dcfbf6dee75",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "superuser"
}
Note Make sure to set id to a newly generated Global Unique Identifier (GUID)
value. You can generate GUIDs online using web-based tools (for example, https://
www.guidgen.com/), or by running the following commands:
n Linux/OSX - uuidgen
c Click Users and groups and assign users and groups to the application.
d Click Submit.
Results
What to do next
Procedure
3 In the Email address text box, enter the email address of the guest user and click Invite.
The guest user immediately receives a customizable invitation that lets them to sign into their
Access Panel.
Prerequisites
Sign in to VMware CSP console (staging or production environment) with your VMware account
ID. If you are new to VMware Cloud and do not have a VMware account, you can create one
as you sign up. For more information, see How do I Sign up for VMware CSP section in Using
VMware Cloud documentation.
Procedure
1 Contact the VMware Support Provider for receiving a Service invitation URL link to
register your SD-WAN Orchestrator application to VMware CSP. For information on how
to contact the Support Provider, see https://kb.vmware.com/s/article/53907 and https://
www.vmware.com/support/contacts/us_support.html.
n a Service definition uuid and Service role name to be used for Role mapping in
Orchestrator
2 Redeem the Service invitation URL to your existing Customer Organization or create a new
Customer Organization by following the steps in the UI screen.
You need to be an Organization Owner to redeem the Service invitation URL to your existing
Customer Organization.
3 After redeeming the Service invitation, when you sign in to VMware CSP console, you can
view your application tile under My Services area in the VMware Cloud Services page.
The Organization you are logged into is displayed under your username on the menu
bar. Make a note of the Organization ID by clicking on your username, to be used during
Orchestrator configuration. A shortened version of the ID is displayed under the Organization
name. Click the ID to display the full Organization ID.
4 Log in to VMware CSP console and create an OAuth application. For steps, see Use OAuth
2.0 for Web Apps. Make sure to set Redirect URI to the URL displayed in Configure
Authentication screen in Orchestrator.
Once OAuth application is created in VMware CSP console, make a note of IDP integration
details such as Client ID and Client Secret. These details will be needed for SSO configuration
in Orchestrator.
5 Log in to your SD-WAN Orchestrator application as Super Admin user and configure SSO
using the IDP integration details as follows.
b Click the General Information tab and in the Domain text box, enter the domain name for
your enterprise, if it is not already set.
Note To enable SSO authentication for the SD-WAN Orchestrator, you must set up the
domain name for your enterprise.
c Click the Authentication tab and from the Authentication Mode drop-down menu, select
SSO.
e In the Organization Id text box, enter the Organization ID (that you have noted down in
Step 3) in the following format: /csp/gateway/am/api/orgs/<full organization ID>.
f In the OIDC well-known config URL text box, enter the OpenID Connect (OIDC)
configuration URL (https://console.cloud.vmware.com/csp/gateway/am/api/.well-known/
openid-configuration) for your IDP.
g In the Client Id text box, enter the client ID that you have noted down from the OAuth
application creation step.
h In the Client Secret text box, enter the client secret code that you have noted down from
the OAuth application creation step.
i To determine user’s role in SD-WAN Orchestrator, select either Use Default Role or Use
Identity Provider Roles.
j On selecting the Use Identity Provider Roles option, in the Role Attribute text box, enter
the name of the attribute set in the VMware CSP to return roles.
k In the Role Map area, map the VMwareCSP-provided roles to each of the SD-WAN
Orchestrator roles, separated by using commas.
Roles in VMware CSP will follow this format: external/<service definition uuid>/<service
role name mentioned during service template creation>. Use the same Service definition
uuid and Service role name that you have received from your Support Provider.
7 Click Test Configuration to validate the entered OpenID Connect (OIDC) configuration.
The user is navigated to the VMware CSP website and allowed to enter the credentials. On
IDP verification and successful redirect to SD-WAN Orchestrator test call back, a successful
validation message will be displayed.
Results
You have completed integrating SD-WAN Orchestrator application in VMware CSP for SSO and
can access the SD-WAN Orchestrator application logging in to the VMware CSP console.
What to do next
n Within the organization, manage users by adding new users and assigning appropriate role
for the users. For more information, see the Identity & Access Management section in Using
VMware Cloud documentation.
Only Operators can enable the Edge Licensing and assign the licenses to a Partner user. If the
Edge Licensing is not enabled for you, contact your Operator.
Bandwidth 10M, 30M, 50M, 100M, 200M, 350M, 500M, 750M, 1G, 2G, 5G, 10G
Region North America, Europe Middle East and Africa, Latin America, Asia Pacific
An Operator can assign different types of Edge licenses from the 324 types of licenses available
with various combinations.
Apart from the above list, VMware offers a trial version of license with the following attributes:
Bandwidth 10 Gbps
Edition POC
Region North America, Europe Middle East and Africa, Asia Pacific and Latin America
Term 60 Months
Note You can assign the POC license to a customer as a trial. When required, you can upgrade
the license to any required Edition.
To manage the Edge licenses for Customers, see Manage Edge Licenses for Customers.
To assign the Edge licenses to Customers, see Create New Partner Customer.
To view and generate a report of available License types, see Generate an Edge Licensing
Report.
To manage Edge Licensing using the New Orchestrator UI, see Edge Licensing with New
Orchestrator UI.
Procedure
5 In the Select Edge Licenses window, choose the relevant licenses based on the Bandwidth,
Term, Edition, and Region.
Note Apart from the existing licenses, VMware offers a trial version of license with the
Edition as POC. If you select a POC license, you cannot choose the other licenses.
6 Click OK.
Results
If you have selected the POC license, you can click Upgrade Edge License to upgrade the license
to the next level. Choose Standard, Enterprise or Premium Edition from the list.
Click Report to generate a report of the licenses and the associated Edges in CSV format.
What to do next
When you create an Edge, you can choose and assign an Edge License from the list.
n To assign license to each Edge, click the link to the Edge and select the License in the Edge
Overview page. You can also select the Edge and click Actions > Assign Edge License to
assign the License.
n To assign a license to multiple Edges, select the appropriate Edges, click Actions > Assign
Edge License, and select the License.
Click Report to generate a report of the licenses, associated customers, and Edges in CSV
format.
Procedure
1 In the Partner portal, from the top menu, click Edge Image Management, and then from the
left menu, click Edge Licensing.
Option Description
3 Clicking the View link under the Partners assigned column, displays the Edge license details
of the selected Partner.
4 Clicking the View link under the Customers assigned column, displays the Edge license
details of the selected Customer.
What to do next
To manage Edge licensing for Customers with New Orchestrator UI, see Manage Edge Licenses
for Customers with New Orchestrator UI
Procedure
5 In the Select Edge Licenses window, choose the relevant licenses based on the Bandwidth,
Term, Edition, and Region, and then move them to the Selected Edge Licenses pane.
Note Apart from the existing licenses, VMware offers a trial version of license with the
Edition as POC. If you select a POC license, you cannot choose the other licenses.
6 Click Save. The selected licenses are displayed in the Edge Licensing window.
7 Click Download Report to generate a report of the licenses and the associated Edges in CSV
format.
What to do next
When you create an Edge, you can choose and assign an Edge License from the list.
n To assign license to each Edge, click the link to the Edge and select the License under the
Properties area in the Edge Overview page. You can also select the Edge and click Assign
Edge License to assign the license.
n To assign a license to multiple Edges, select the appropriate Edges, click Assign Edge
License, and select the license.
1 In the Partner portal, from the top menu, click Settings, and then from the left menu, click
Edge Management.
2 You can configure the following options and click Save Changes.
Edge Authentication
Option Description
Edge Authentication Click the Activate Secure Edge Access button to allow
the user to access Edges using Password-based or Key-
based authentication. You can activate this option only
once. But you can switch to either Password-based or
Key-based authentication any number of times.
Configuration Updates
Option Description
Disable Edge Configuration Updates By default, this option is activated. This option allows you
to actively push the configuration updates to Edges. Slide
the toggle button to turn it Off.
Enable Configuration Updates Post-Upgrade By default, this option is deactivated. This option
allows you to control when post-Orchestrator upgrade
configuration changes are applied to their Edges. Slide
the toggle button to turn it On.
You can view the details of the listed images and select the default image.
Note
n To view this section, go to Global Settings > Customer Configuration > SD-WAN
Configuration, and then select the Allow Customer to manage software check box.
n Only an Operator can add, delete, or edit an image. For more information, see the topic
Platform Firmware and Factory Images with New Orchestrator UI, in the VMware SD-WAN
Operator Guide.
The Secure Shell (SSH) key-based authentication is a secure and robust authentication method to
access VMware SD-WAN Edges. It provides a strong, encrypted verification and communication
process between users and Edges. The use of SSH keys bypasses the need to manually enter
login credentials and automates the secure access to Edges.
Note Both the Edge and the Orchestrator must be using Release 5.0.0 or later for this feature to
be available.
Note Users with Operator Business or Business Specialist account roles cannot access Edges
using key-based authentication.
1 Configure privileges for a user to access Edges in a secure manner. You can choose Basic or
Privileged access level for the user. You can configure the access level when you create a
new user and choose to modify it at a later point in time. Ensure that you have Super User
role to modify the access level for a user. See the following topics:
2 Generate a new pair of SSH keys or import an existing SSH key. See Add SSH Key.
3 Enable key-based authentication to access Edges. See Enable Secure Edge Access for an
Enterprise.
The public key is stored in the database and is shared with the Edges. The private key is
downloaded to your computer, and you can use this key along with the SSH username to access
Edges. You can generate only one pair of SSH keys at a time. If you need to add a new pair
of SSH keys, you must delete the existing pair and then generate a new pair. If a previously
generated private key is lost, you cannot recover it from the Orchestrator. You must delete the
key and then add a new key to gain access. For details about how to delete SSH keys, see
Revoke SSH Keys.
n All users, except users with Operator Business or Business Specialist account roles, can
create and revoke SSH keys for themselves.
n Operator Super users can manage SSH keys of other Operator users, Partner users, and
Enterprise users, if the Partner user and Enterprise user have delegated user permissions to
the Operator.
n Partner Super users can manage SSH keys of other Partner users and Enterprise users, if the
Enterprise user has delegated user permissions to the Partner.
n Enterprise Super users can manage the SSH keys of all the users within that Enterprise.
n Super users can only view and revoke the SSH keys for other users.
Note Enterprise and Partners customers without SD-WAN service access will not be able to
configure or view SSH keys related details.
Procedure
1 In the Enterprise portal, click the User icon that appears at the top-right side of the Window.
The User Information panel appears.
2 Click Add SSH Key. The Add SSH Key pop-up window appears.
n Generate Key—Use this option to generate a new pair of public and private SSH keys. The
default file format in which the SSH key is generated is .pem. If you are using a Windows
operating system, ensure that you convert the file format from .pem to .ppk, and then
import the key. For instructions to convert .pem to .ppk, see Convert Pem to Ppk File
Using PuTTYgen.
n Import Key—Use this option to paste or enter the public key if you already have a pair of
SSH keys.
4 In the PassPhrase field, you can choose to enter a unique passphrase to further safeguard
the private key stored on your computer.
Note This is an optional field and is available only if you have selected the Generate Key
option.
5 In the Duration drop-down list, select the number of days by when the SSH key must expire.
What to do next
Ensure that you enable secure Edge access for the Enterprise and switch the authentication
mode from Password-based to Key-based. See Enable Secure Edge Access for an Enterprise.
1 In the Enterprise portal, click the User icon that appears at the top-right side of the window.
The User Information panel appears.
2 In the SSH Keys area, select the SSH usernames for which you want to delete the SSH keys.
n you change the user role to Operator Business or Business Specialist because these roles
cannot access Edges using key-based authentication.
Procedure
2 Select the Enable Secure Edge Access check box to allow the user to access Edges
using Key-based authentication. Once you have activated Secure Edge Access, you cannot
deactivate it.
Note Only Operator users can enable secure Edge access for an Enterprise.
Note Ensure that you have Super User role to switch the authentication mode.
What to do next
Use the SSH keys to securely login to the Edge’s CLI and run the required commands. See Secure
Edge CLI Commands.
Note Run the help <command name> to view a brief description of the command.
Interaction Commands
Debug Commands
Configuration Command
Sample Outputs
This section provides the sample outputs of some of the commands that can be run in a secure
Edge CLI.
edgeinfo
o10test_velocloud_net:velocli> edgeinfo
Model: vmware
Serial: VMware-420efa0d2a6ccb35-9b9bee2f04f74b32
Build Version: 5.0.0
Build Date: 2021-12-07_20-17-40
Build rev: R500-20211207-MN-8f5954619c
Build Hash: 8f5954619c643360455d8ada8e49def34faa688d
seainfo
o10test_velocloud_net:velocli> seainfo
{
"rootlocked": false,
"seauserinfo": {
"o2super_velocloud_net": {
"expiry": 1641600000000,
"privilege": "BASIC"
}
}
}
tcpdump
o10test_velocloud_net:velocli> tcpdump -nnpi eth0 -c 10
reading from file -, link-type EN10MB (Ethernet)
09:45:12.297381 IP6 fd00:1:1:2::2.2426 > fd00:ff01:0:1::2.2426: UDP, length 21
09:45:12.300520 IP6 fd00:ff01:0:1::2.2426 > fd00:1:1:2::2.2426: UDP, length 21
09:45:12.399077 IP6 fd00:1:1:2::2.2426 > fd00:ff01:0:1::2.2426: UDP, length 21
09:45:12.401382 IP6 fd00:ff01:0:1::2.2426 > fd00:1:1:2::2.2426: UDP, length 21
09:45:12.442927 IP6 fd00:1:1:2::2.2426 > fd00:ff01:0:1::2.2426: UDP, length 83
09:45:12.444745 IP6 fd00:ff01:0:1::2.2426 > fd00:1:1:2::2.2426: UDP, length 83
09:45:12.476765 IP6 fd00:ff01:0:1::2.2426 > fd00:1:1:2::2.2426: UDP, length 64
09:45:12.515696 IP6 fd00:ff02:0:1::2.2426 > fd00:1:1:2::2.2426: UDP, length 21
pcap
o10test_velocloud_net:velocli> pcap -nnpi eth4 -c 10
The capture will be saved to file o10test_velocloud_net_2021-12-09_09-57-50.pcap
o10test_velocloud_net:velocli> tcpdump: listening on eth4, link-type EN10MB (Ethernet),
capture size 262144 bytes
10 packets captured
10 packets received by filter
0 packets dropped by kernel
debug
o10test_velocloud_net:velocli> debug --dpdk_ports_dump
name port link ignore strip speed duplex autoneg driver
ge3 0 1 0 1 1000 1 1 igb
ge6 4 0 2 1 0 0 1 ixgbe
ge5 5 0 2 1 0 0 1 ixgbe
ge4 1 0 2 1 0 0 0 igb
sfp2 2 0 2 1 0 0 1 ixgbe
sfp1 3 0 2 1 0 0 1 ixgbe
net_vhost0 6 0 0 1 10000 1 0
net_vhost1 7 0 0 1 10000 1 0
diag
o10test_velocloud_net:velocli> diag ARP_DUMP --count 10
Stale Timeout: 2min | Dead Timeout: 25min | Cleanup Timeout: 240min
GE3
192.168.1.254 7c:12:61:70:2f:d0 ALIVE 1s
LAN-VLAN1
10.10.1.137 b2:84:f7:c1:d3:a5 ALIVE 34s
ifstatus
o10test:velocli> ifstatus
{
"deviceBoardName": "EDGE620-CPU",
"deviceInfo": [],
"edgeActivated": true,
"edgeSerial": "HRPGPK2",
"edgeSoftware": {
"buildNumber": "R500-20210821-DEV-301514018f\n",
"version": "5.0.0\n"
},
"edgedDisabled": false,
"interfaceStatus": {
"GE1": {
"autonegotiation": true,
"duplex": "Unknown! (255)",
"haActiveSerialNumber": "",
"haEnabled": false,
"haStandbySerialNumber": "",
"ifindex": 4,
"internet": false,
"ip": "",
"is_sfp": false,
"isp": "",
"linkDetected": false,
"logical_id": "",
"mac": "18:5a:58:1e:f9:22",
"netmask": "",
"physicalName": "ge1",
"reachabilityIp": "8.8.8.8",
"service": false,
"speed": "Unkn",
"state": "DEAD",
"stats": {
"bpsOfBestPathRx": 0,
"bpsOfBestPathTx": 0
},
"type": "LAN"
},
"GE2": {
"autonegotiation": true,
"duplex": "Unknown! (255)",
"haActiveSerialNumber": "",
"haEnabled": false,
…
…
}
]
}
getwanconfig
o10test_velocloud_net:velocli> getwanconfig GE3
{
"details": {
"autonegotiation": "on",
"driver": "dpdk",
"duplex": "",
"gateway": "169.254.7.9",
"ip": "169.254.7.10",
"is_sfp": false,
"linkDetected": true,
"mac": "00:50:56:8e:46:de",
"netmask": "255.255.255.248",
"password": "",
"proto": "static",
"speed": "",
"username": "",
"v4Disable": false,
"v6Disable": false,
"v6Gateway": "fd00:1:1:1::1",
"v6Ip": "fd00:1:1:1::2",
"v6Prefixlen": 64,
"v6Proto": "static",
"vlanId": ""
},
"status": "OK"
}
n Manage Gateways
Gateways can be organized into pools that are then assigned to a network. An unpopulated
default Gateway pool is available after you install SD-WAN Orchestrator. If required, you can
create additional Gateway Pools.
Note Your Operator should have provided you access to manage the Gateway Pools and
Gateways. If the Gateway Pools option is not available in your portal, contact your Operator.
The Gateway Pools window displays the existing Gateway pools with the following options:
n Search – Enter a term to search for a specific detail. Click the drop-down arrow to filter the
view by a specific criteria.
n Cols – Click and select the columns to be shown or hidden in the view.
n Refresh – Click to refresh the details displayed with the most current data.
n IP Version – Displays whether the Gateway Pool is enabled with IPv4 address or both the
IPv4 and IPv6 addresses.
n Customers – Displays the number of Enterprise Customers associated with the Gateway Pool.
n Partner Gateway – Displays the status of the Partner Gateway. The following are the
available options: None, Allow, and Partner Gateways.
n Managed Pool – Displays whether the Partner can manage the Gateway Pool.
n New Gateway Pool – Creates a new Gateway Pool. See Create New Gateway Pool.
n Clone Gateway Pool – Creates a new Gateway Pool, by cloning the existing configurations
from the selected Gateway Pool. See Clone a Gateway Pool.
n Delete Gateway Pool – Deletes the selected Gateway Pool. You cannot delete a Gateway
Pool that is already being used by an Enterprise Customer.
Procedure
1 In the Gateway Pools page, click Actions > New Gateway Pool.
c Partner Gateway Hand Off – This option determines the method to hand off the
Gateways to Partners. Choose one of the following options from the drop-down list:
n None – Select this option when Partner Gateway hand off is not required.
n Allow – Select this option when you want the Gateway Pool to support a mix of both
the Partner Gateways and Cloud Gateways.
n Only Partner Gateways – Select this option when edges in the Enterprise should not
be assigned with Cloud Gateways from the pool, and will only be assigned with the
Gateways that are set for the individual edge.
d Association Type – Choose one of the following address types with which the Gateway
Pool should be enabled.
n IPv4 and IPv6 – Allows to add Gateways with IPv4 and IPv6 addresses.
Note If you want to use Edges with IPv6 support, then choose IPv4 and IPv6.
3 Click Create.
What to do next
Configure the Gateway Pool by adding Gateways to the Pool. See Configure Gateway Pools.
Procedure
1 In the Gateway Pools page, select the Gateway Pool that you want to clone and click Actions
> Clone Gateway Pool.
The Gateway Pool clones the existing configuration from the selected Gateway Pool. If
required, you can modify the details. For more information on the options, see Create New
Gateway Pool.
What to do next
Configure the Gateway Pool by adding Gateways to the Pool. See Configure Gateway Pools.
Whenever you create a new Gateway Pool or clone a Pool, you are redirected to the Gateway
Pool Properties page to configure the properties of the Pool.
Note You can configure only a Gateway pool created by a Partner User or a Partner Managed
Gateway pool created by your Operator.
Procedure
1 In the Partner portal, click Gateway Pools. In the Gateway Pools page, the existing Gateway
Pools are displayed.
a In the Properties section, the existing Name, Description, Partner Gateway Hand Off
details, and the Association Type are displayed. If required, you can modify these details.
b In the Gateways In Pool section, click Manage to add Gateways to the Pool.
c In the Assign Gateways window that appears, move the required Gateways from the
Available pane to Assigned pane using the Arrows.
Click OK.
Results
The configured Gateway Pools are displayed in the Gateway Pools page.
What to do next
You can associate the Gateway Pool to an Enterprise Customer. The Edges available in the
Enterprise are connected to the Gateways available in the Pool.
Gateways can be organized into pools that are then assigned to a network. An unpopulated
default Gateway pool is available after you install SD-WAN Orchestrator. If required, you can
create additional Gateway pools.
As a Partner Super user and Partner Admin user, you can create, manage, download, and delete
Gateway pools created by a Partner user or a Partner Managed Gateway pools created by the
Operator.
Note The Gateway pools feature is not supported for Partner Business Specialist user and
Partner IT support user.
The New Gateway Pool and Download options are available only for Partners with Gateway
management access activated. If the Gateway management access is deactivated for a Partner,
then the Partner will have only read-only permission for the configured Gateway pools. To
request Gateway Management access, Partners must contact the Operator Super user.
2 In the New Orchestrator UI, click the Gateway Management tab and go to Gateway Pools in
the left navigation pane.
3 To search a specific Gateway pool, enter a relevant search text in the Search box. For
advanced search, click the filter icon next to the Search box to filter the results by specific
criteria.
4 The Map Distribution section is used for displaying the Gateways on a map. You can click the
+ and - buttons to zoom in and zoom out the map, respectively. In the Gateway Pools table,
if you have selected any Gateway pools then only the Gateways in the selected pools are
displayed on the map. Otherwise, all Gateways are displayed on the map.
The Gateway Pools table displays the existing Gateway pools with the following details.
Field Description
On the Gateway Pools page, you can perform the following activities:
n New Gateway Pool – Creates a new Gateway pool. See Create New Gateway Pool with
New Orchestrator UI.
n Clone – Creates a new Gateway pool, by cloning the existing configurations from the
selected Gateway pool. See Clone a Gateway Pool with New Orchestrator UI.
n Download - Downloads the CSV file for all Gateway pools or the selected Gateway pool.
n Delete – Deletes the selected Gateway pool. You cannot delete a Gateway pool that is
already being used by an Enterprise Customer.
n You can also configure the existing Gateway pools by clicking the name link of the
Gateway pool. See Configure Gateway Pools with New Orchestrator UI.
Procedure
1 In the new UI, click the Gateway Management tab and go to Gateway Pools in the left
navigation pane.
3 In the New Gateway Pool dialog, configure the following details and click Create.
Field Description
Field Description
Partner Gateway Hand Off This option determines the method to hand off the
Gateways to Partners. Choose one of the following
options from the drop-down list:
n None – Select this option when Partner Gateway
hand off is not required.
n Allow – Select this option when you want the
Gateway pool to support a mix of both the Partner
Gateways and Cloud Gateways.
n Only Partner Gateways – Select this option when
Edges in the Enterprise should not be assigned
with Cloud Gateways from the pool, and will only
be assigned with the Gateways that are set for an
individual Edge.
What to do next
n Configure the Gateway pool by adding Gateways to the pool. See Configure Gateway Pools
with New Orchestrator UI.
Procedure
1 In the new UI, click the Gateway Management tab and go to Gateway Pools in the left
navigation pane.
2 In the Gateway Pools table, select the Gateway pool that you want to clone and click Clone.
The New Gateway Pool dialog with the cloned settings appears.
The Gateway pool clones the existing configuration from the selected Gateway pool. If
required, you can modify the details. For more information on the options, see Create New
Gateway Pool.
What to do next
Configure the Gateway pool by adding Gateways to the pool. See Configure Gateway Pools with
New Orchestrator UI.
Whenever you create a new Gateway pool or clone a pool, you are redirected to the Gateway
Pool Overview page to configure the properties of the pool.
Note You can configure only a Gateway pool created by a Partner User or a Partner Managed
Gateway pool created by your Operator.
Procedure
1 In the new UI, click the Gateway Management tab and go to Gateway Pools in the left
navigation pane.
2 Click the name link to a Gateway pool that you want to configure.
a In the Properties section, the existing Name, Description, Partner Gateway Hand Off
details, and the Association Type are displayed. If required, you can modify these details.
b In the Gateways in Pool section, click Manage to add Gateways to the pool.
c In the Assign Gateways to Gateway pool dialog, move the required Gateways from the
Available pane to Assigned pane using the Arrows and click Update.
4 The Gateways assigned to the selected Gateway pool are displayed as follows.
Results
The configured Gateway pools are displayed in the Gateway Pools page.
What to do next
You can associate the Gateway pool to an Enterprise Customer. The Edges available in the
Enterprise are connected to the Gateways available in the pool.
Manage Gateways
VMware SD-WAN Gateways are a distributed network of gateways, deployed around the world
or on-premises at service providers, provide scalability, redundancy and on-demand flexibility.
The SD-WAN Gateways optimize data paths to all applications, branches, and data centers along
with the ability to deliver network services to and from the cloud.
By default, the Gateways named as gateway-1 and gateway-2 are available when you install
SD-WAN Orchestrator. If required, you can create additional Gateways.
The Gateways window displays the existing Gateways with the following options:
n Search – Enter a term to search for a specific detail. Click the drop-down arrow to filter the
view by a specific criteria.
n Cols – Click and select the columns to be shown or hidden in the view.
n Refresh – Click to refresh the details displayed with the most current data.
Column Description
Super Gateway The number of customers for which the Gateway has
been chosen as a Super Gateway, which is a common
route reflector for all Edges.
Secure VPN Gateway Displays whether Secure VPN Gateway has been enabled
on the Gateway, which allows the Gateway to be chosen
as an endpoint for initiating Non SD-WAN Destination
tunnels.
Column Description
Note The following options are available only for Partners with Gateway management access
activated. If Gateway management access is deactivated, partner has only read access and
cannot manage or configure gateways.
n Delete Gateway – Deletes the selected Gateway. You cannot delete a Gateway that is
already being used by an Enterprise Customer.
Procedure
Note
n Once you have created a Gateway, you cannot modify the IP addresses.
n Release 4.3.x and 4.4.x support Greenfield deployment of Gateways for IPv6. If you
have upgraded a Gateway from a previous version earlier than 4.3.0, you cannot
configure the upgraded Gateway with the IPv6 address.
n Release 4.5.0 supports both the Greenfield and Brownfield deployment of Gateways
for IPv6. If you have upgraded a Gateway from a previous version earlier than 4.5.0,
you can dynamically configure IPv6 address for the Gateway.
d Service State – Select the service state of the Gateway from the drop-down list. The
following options are available:
n Quiesced: The Gateway service is quiesced or paused. Select this state for backup or
maintenance purposes.
e Gateway Pool – Select the Gateway Pool from the drop-down list, to which the Gateway
would be assigned.
f Authentication Mode – Select the authentication mode of the Gateway from the following
available options:
n Certificate Acquire: This option is selected by default and instructs the Gateway to
acquire a certificate from the certificate authority of the SD-WAN Orchestrator, by
generating a key pair and sending a certificate signing request to the Orchestrator.
Once acquired, the Gateway uses the certificate for authentication to the SD-WAN
Orchestrator and for establishment of VCMP tunnels.
Note After acquiring the certificate, the option can be updated to Certificate
Required.
i Click Create.
Results
Once you create a new Gateway, you are redirected to the Configure Gateways page, where
you can configure additional settings for the newly created Gateway.
What to do next
Configure Gateways
You can configure the properties and other details of a Gateway in the Partner portal.
When you create a new Gateway, you are automatically redirected to the Configure Gateways
page.
Note You can configure only a Gateway created by a Partner User or a Partner Managed
Gateway created by your Operator.
Procedure
2 The Gateways page displays the list of available Gateways. Click the link to a Gateway. The
details of the selected Gateway are displayed in the Configure Gateways page.
Properties – In this section, the existing Name and Description of the selected Gateway are
displayed. If required, you can modify the information.
You can also configure the following additional details:
Option Description
Service State Select the Service State of the Gateway from the
following available options:
n In Service: The Gateway is connected and available.
n Out of Service: The Gateway is not connected.
n Quiesced: The Gateway service is quiesced or
paused. Select this state for backup or maintenance
purposes.
Option Description
Gateway Authentication Mode Select the authentication mode of the Gateway from
the following available options:
n Certificate Deactivated: Gateway uses a pre-shared
key mode of authentication.
n Certificate Acquire: This option is selected by
default and instructs the Gateway to acquire a
certificate from the certificate authority of the
SD-WAN Orchestrator, by generating a key pair
and sending a certificate signing request to the
Orchestrator. Once acquired, the Gateway uses
the certificate for authentication to the SD-WAN
Orchestrator and for establishment of VCMP
tunnels.
Option Description
Partner Gateway (Advanced Handoff) Details – This section is available if you select the
Partner Gateway checkbox and you can configure the following settings:
Option Description
Static Routes – Specify the subnets or routes that the SD-WAN Gateway should advertise to the SD-WAN Edge.
This is global per SD-WAN Gateway and applies to ALL customers. With BGP, this section is used only if there is a
shared subnet that all customers need to access and if NAT handoff is required.
Remove the unused subnets from the Static Route list if you do not have any subnets that you need to advertise
to the SD-WAN Edge and have the handoff of type NAT.
You can click the IPv4 or IPv6 tab to configure the corresponding address type for the Subnets.
ICMP Failover Probe – The SD-WAN Gateway uses ICMP probe to check for the reachability of a particular IP
address and notifies the SD-WAN Edge to failover to the secondary Gateway if the IP address is not reachable.
This option supports only IPv4 addresses.
VLAN Tagging Select the VLAN tag from the drop-down list to apply
to the ICMP probe packets. The following are the
available options:
n None – Untagged
n 802.1q – Single VLAN tag
n 802.1ad / QinQ(0x8100) / QinQ(0x9100) – Dual
VLAN tag
Option Description
ICMP Responder Enabled: Allows the SD-WAN Gateway to respond to the ICMP probe from the next hop router
when the tunnels are up. This option supports only IPv4 addresses.
IP address Enter the virtual IP address that will respond to the ping
requests.
Note The ICMP probe parameters are optional and recommended only if you want to
use ICMP to check the health of the SD-WAN Gateway. With BGP support on the Partner
Gateway, using ICMP probe for failover and route convergence is no longer required. For
more information on configuring BGP support and handoff settings for a Partner Gateway,
see Configure Partner Handoff .
Contact & Location – The existing contact details are displayed in this section. If required, you
can modify the information.
Syslog Settings – Beginning with the 4.5 release, Gateways can export NAT information via a
remote syslog server or via telegraf to the desired destination. For more information, see the
Configure NAT Entry Syslog for Gateways section in the VMware SD-WAN Operator Guide
published at https://docs.vmware.com/en/VMware-SD-WAN/index.html.
Cloud Web Security - This section allows you to configure the Generic Network Virtualization
Encapsulation (Geneve) endpoint IP address and Points-of-Presence (PoP) name for Cloud
Web Security, if the Cloud Web Security Gateway Role is enabled.
Customer Usage – This section displays the usage details of different types of Gateways
assigned to the customers.
Pool Membership – This section displays the details of the Gateway pools to which the
current Gateway is assigned.
Monitor Gateways
You can monitor the status and usage data of Gateways available in the Partner portal.
Procedure
3 Click the link to a Gateway. The details of the selected Gateway are displayed.
4 Click the Monitor tab to view the usage data of the selected Gateway.
Results
The Monitor tab of the selected Gateway displays the following details:
At the top of the page, you can choose a specific time period to view the details of the Gateway
for the selected duration.
The page displays graphical representation of usage details of the following parameters for the
period of selected time duration, along with the minimum, maximum, and average values.
n Handoff Queue Drops – Total number of packets dropped from a queue since the Gateway
was last rebooted. Occasional drops are expected, usually caused by a large burst of traffic.
However, a consistent increase in handoff queue drops usually indicates a Gateway capacity
issue.
n Tunnel Count – Count of tunnel sessions for both the IPv4 and IPv6 addresses.
You can also view the details using the new Orchestrator UI. See Monitor Gateways with New
Orchestrator UI.
By default, the Gateways named as gateway-1 and gateway-2 are available when you install
SD-WAN Orchestrator. If required, you can create additional Gateways.
Partner Super user and Admin with Gateway management access activated can create, manage,
and delete Gateways created by a Partner or Partner managed Gateways created by an
Operator. The Partner IT support users can only view the configured Gateways.
If the Gateway management access is deactivated for a Partner, then the Partner will have only
read-only permission for the configured Gateways. To request Gateway Management access,
Partners must contact the Operator Super user.
Note The Gateways feature is not supported for the Partner Business Specialist user.
2 In the New Orchestrator UI, click the Gateway Management tab and go to Gateways in the
left navigation pane.
To search a specific Gateway, enter a relevant search text in the Search box. For advanced
search, click the filter icon next to the Search box to filter the results by specific criteria.
The Map Distribution section is used for displaying the Gateways on a map. You can click the +
and - buttons to zoom in and zoom out the map, respectively.
The Gateways table displays the existing Gateways with the following details.
Field Description
Field Description
n New Gateway – Creates a new Gateway. See Create New Gateway with New Orchestrator UI.
n Delete Gateway – Deletes the selected Gateway. You cannot delete a Gateway that is
already being used by an Enterprise Customer.
n Support Request – Redirects to a Knowledge Base article that has instructions on how to file
a support request.
Procedure
1 In the new UI, click the Gateway Management tab and go to Gateways in the left navigation
pane.
Field Description
Field Description
Service State Select the service state of the Gateway from the drop-
down list. The following options are available:
n In Service - The Gateway is connected and
available.
n Out of Service - The Gateway is not connected.
n Quiesced - The Gateway service is quiesced or
paused. Select this state for backup or maintenance
purposes.
Gateway Pool Select the Gateway Pool from the drop-down list, to
which the Gateway would be assigned.
Note
n Once you have created a Gateway, you cannot modify the IP addresses.
n Release 4.3.x and 4.4.x support Greenfield deployment of Gateways for IPv6. If you have
upgraded a Gateway from a previous version earlier than 4.3.0, you cannot configure the
upgraded Gateway with the IPv6 address.
n Release 4.5.0 supports both the Greenfield and Brownfield deployment of Gateways for
IPv6. If you have upgraded a Gateway from a previous version earlier than 4.5.0, you can
dynamically configure IPv6 address for the Gateway.
Results
Once you create a new Gateway, you are redirected to the Configure Gateways page, where
you can configure additional settings for the newly created Gateway.
What to do next
To configure additional settings for the Gateway, see Configure Gateways with New Orchestrator
UI.
Note You can configure only a Gateway created by a Partner user or a Partner managed
Gateway created by your Operator.
Procedure
1 In the new UI, click the Gateway Management tab and go to Gateways in the left navigation
pane.
2 Click the link to a Gateway that needs to be configured for additional settings. The details of
the selected Gateway are displayed in the Configure > Gateways page.
Field Description
Field Description
Field Description
Contact & Location Displays the existing contact details. If required, you can
modify the information.
Syslog Settings Beginning with the 4.5 release, Gateways can export
NAT information via a remote syslog server or via
telegraf to the desired destination. For more information,
see the Configure NAT Entry Syslog for Gateways
section in the VMware SD-WAN Operator Guide
published at https://docs.vmware.com/en/VMware-SD-
WAN/index.html.
Field Description
Pool Membership Displays the details of the Gateway pools to which the
current Gateway is assigned.
Partner Gateway (Advanced Handoff) Details This section is available only if you select the Partner
Gateway checkbox. You can configure advanced handoff
settings for the Partner Gateway. For more information,
see the Partner Gateway (Advanced Handoff) Details
section below.
Cloud Web Security This section allows you to configure the Generic
Network Virtualization Encapsulation (Geneve) endpoint
IP address and Points-of-Presence (PoP) name for Cloud
Web Security, if the Cloud Web Security Gateway Role is
enabled.
You can configure the following advanced handoff settings for the Partner Gateway:
Option Description
Static Routes | Subnets – Specify the subnets or routes that the SD-WAN Gateway should advertise to the
SD-WAN Edge. This is global per SD-WAN Gateway and applies to ALL customers. With BGP, this section is used
only if there is a shared subnet that all customers need to access and if NAT handoff is required.
Remove the unused subnets from the Static Route list if you do not have any subnets that you need to advertise
to the SD-WAN Edge and have the handoff of type NAT.
You can click the IPv4 or IPv6 tab to configure the corresponding address type for the Subnets.
ICMP Failover Probe – The SD-WAN Gateway uses ICMP probe to check for the reachability of a particular IP
address and notifies the SD-WAN Edge to failover to the secondary Gateway if the IP address is not reachable.
This option supports only IPv4 addresses.
VLAN Tagging Select the VLAN tag from the drop-down list to apply
to the ICMP probe packets. The following are the
available options:
n None – Untagged
n 802.1q – Single VLAN tag
n 802.1ad / QinQ(0x8100) / QinQ(0x9100) – Dual
VLAN tag
Option Description
ICMP Responder - Allows the SD-WAN Gateway to respond to the ICMP probe from the next hop router when the
tunnels are up. This option supports only IPv4 addresses.
IP address Enter the virtual IP address that will respond to the ping
requests.
Note The ICMP probe parameters are optional and recommended only if you want to
use ICMP to check the health of the SD-WAN Gateway. With BGP support on the Partner
Gateway, using ICMP probe for failover and route convergence is no longer required. For
more information on configuring BGP support and handoff settings for a Partner Gateway,
see Configure Partner Handoff .
Procedure
3 Click Map Distribution to expand and view the locations of the Gateways in the Map. By
default, this view is collapsed.
4 You can also click the arrows prior to each SD-WAN Gateways name to view more details.
n Status – Current status of the SD-WAN Gateways. The status may be one of the
following: Connected, Degraded, Never Activated, Not in Use, Offline, Out of Service,
or Quiesced.
n Service State – Service state of the SD-WAN Gateways. The state may be one of the
following: Historical, In Service, Out of Service, Pending Service, or Quiesced.
5 In the Search field, enter a term to search for specific details. Click the Filter icon to filter the
view by a specific criterion.
6 Click the CSV option to download a report of the SD-WAN Gateways in the CSV format.
7 Click the link to a SD-WAN Gateway to view the details of the selected SD-WAN Gateway.
The Overview tab displays the properties, status, location, customer usage, and SD-WAN
Gateway Pool of the selected SD-WAN Gateway.
Note You can only view the details of the selected Gateway, using this tab. To configure the
options, navigate to the Gateways page in the Partner portal.
8 Click the Monitor tab to view the usage details of the selected SD-WAN Gateways.
At the top of the page, you can choose a specific time period to view the details of the
Gateway for the selected duration.
The page displays graphical representation of usage details of the following parameters for
the period of selected time duration, along with the minimum, maximum, and average values.
n Handoff Queue Drops – Total number of packets dropped from a queue since the
Gateway was last rebooted. Occasional drops are expected, usually caused by a large
burst of traffic. However, a consistent increase in handoff queue drops usually indicates a
Gateway capacity issue.
n Tunnel Count – Count of tunnel sessions for both the IPv4 and IPv6 addresses.
Gateways are configured with specific roles. For example, a Gateway with data plane role is used
to forward data plane traffic from source to destination. Similarly, a Gateway with Control Plane
role is called a Super Gateway and is assigned to an Enterprise. Edges within the Enterprise
are connected to the Super Gateway. Also, there is a Gateway with Secure VPN role that is
used to establish an IPSec tunnel to a Non SD-WAN destination (NSD). The migration steps may
vary based on the role configured for the Gateway. For more information about the Gateway
roles, see the “Configure Gateways” section in the VMware SD-WAN Operator Guide available at
VMware SD-WAN Documentation.
The following figure illustrates the migration process of the Secure VPN Gateway:
In this example, an SD-WAN Edge is connected to an NSD through a Secure VPN Gateway,
VCG1. The VCG1 Gateway is planned to be decommissioned. Before decommissioning, a new
Gateway, VCG2 is created. It is assigned with the same role and attached to the same Gateway
pool as VCG1 so that VCG2 can be considered as a replacement to VCG1. The service state of
VCG1 is changed to Quiesced. No new tunnels or NSDs can be added to VCG1. However, the
existing assignments remain in VCG1. Configuration changes with respect to the IP address of
VCG2 are made in the NSD, an IPSec tunnel is established between VCG2 and NSD, and the
traffic is switched from VCG1 to VCG2. After confirming that VCG1 is empty, it is decommissioned.
Following is the high-level workflow of Secure VPN Gateway migration based on the User roles:
n There will be a minimum service disruption based on the time taken to switch NSDs from
the quiesced Gateway to the new Gateway and to rebalance the Edges connected to the
quiesced Gateway.
n If the NSD is configured with redundant Gateways and one of the Gateway is quiesced, the
redundant Gateway cannot be the replacement Gateway for the quiesced Gateway.
To avoid any service disruption, ensure that you migrate to the new Gateway within the
Migration Deadline mentioned in the notification email.
To migrate from a quiesced Gateway to a new Gateway, VMware recommends you to use the
new Orchestrator UI only:
Prerequisites
Before you migrate the Edges and NSDs from the quiesced Gateway to the new Gateway,
ensure that you schedule a maintenance window as traffic may be disrupted during migration.
Procedure
1 In the Enterprise portal of the new UI, go to Settings > Gateway Migration. The list of
quiesced Gateways appears.
2 Click Start for the quiesced Gateway from which you want to migrate to the new Gateway.
3 Make the required configuration to all the NSDs that are configured through the quiesced
Gateway.
a Click the View IKE IPSec link to view a sample configuration for the NSD. Copy the
template and customize it to suit your deployment.
b Add the IP address of the new Gateway to each NSD configured for the quiesced
Gateway.
For example, if you have configured an NSD for AWS, you must add the IP address of the
new Gateway in the NSD configuration in the AWS instance.
c After making the configuration changes to all the NSDs, select the The listed NSD site(s)
have been configured check box, and then click Next.
Note The Configure NSD Site(s) option is not available for NSDs configured automatically as
well as for Gateways with Data Plane role that are not attached to any NSDs.
4 Select each NSD and click Switch Gateway to switch the traffic from the quiesced Gateway to
the new Gateway.
a In the Switch Gateway pop-up window, select the The NSD site has been configured
check box to confirm that you have made the required configuration changes to the NSD.
It may take few minutes to verify the tunnel status. The IP address of the quiesced
Gateway is replaced with the IP address of the new Gateway so that the traffic switches
to the new Gateway. The Migration Status changes to "NSD Tunnels are up and running".
If the Switch Gateway action fails, see What to do When Switch Gateway Action Fails.
c Click Next.
Note The Switch Gateway option is not available for Gateways with Data Plane role that
are not attached to any NSDs.
5 Rebalance either all Edges or the required Edges that are connected to the quiesced
Gateway so that the Edges get reassigned to the new Gateway.
Results
Go to the Gateway Migration page to review the migration steps, if required. The Gateways that
have been migrated remain in this page until the Migration Deadline assigned for the quiesced
Gateway. After the Migration Deadline, you can view the history of migration events in the
Monitor > Events page.
Procedure
1 In the Enterprise portal, launch the new Orchestrator UI, and then go to the Gateway
Migration page. For instruction to navigate to this page, see Migrate Quiesced Gateways.
2 Under the Switch Gateways step of the Migration Wizard, select the NSD for which the
Switch Gateway action failed, and then click Retry Tunnel Verification.
The tunnel status is verified again to see if the Migration Status changes to "NSD Tunnels are
up and running".
If the Migration Status does not change and the Switch Gateway action fails again for the
NSD, select the NSD, and then click Undo Switch Gateway.
All configuration changes to the NSD are reverted to the original settings.
3 Click Switch Gateway again to replace the IP address of the quiesced Gateway with that of
the new Gateway and thereby switch the traffic to the new Gateway.
What to do next
Click View Events in the Gateway Migration page to view the history of migration events in the
Monitor > Events page.
Both the Partner super user and Partner admin user can run the diagnostics for partner managed
Gateways. You can request and view diagnostic bundle only for Gateway created by a Partner
user or a Partner Managed Gateway created by the Operator.
n Target – Select the target Gateway from the drop-down list. The data is collected from
the selected Partner Gateway.
n Reason for Generation – Optionally, you can enter your reason for generating the bundle.
n If required, click the Advanced button. The Core Limit drop-down list is displayed and
you can choose a value from the list. The Core Limit is used to reduce the size of the
uploaded bundle when the Internet connectivity is experiencing issues.
3 Click Submit.
The Gateway Diagnostic Bundles window displays the details of the bundles generated, along
with the status.
To download a generated bundle, click the Complete link or select the bundle and click Actions >
Download Diagnostic Bundles. The bundle is downloaded as a ZIP file.
Note The Request Diagnostic Bundle option is available only for Partners with Gateway
management access activated. If the Gateway management access is deactivated, then Partners
can only view the generated Diagnostic bundles. They cannot request a new Diagnostic bundle
and cannot download the generated bundle.
The completed bundles get deleted automatically on the date displayed in the Cleanup Date
column. You can click the link to the Cleanup Date to modify the Date.
In the Update Cleanup Date window, choose the date on which the selected Bundle would be
deleted.
If you want to retain the Bundle, select the Keep Forever checkbox, so that the Bundle does not
get deleted automatically.
To delete a bundle manually, select the bundle and click Actions > Delete Diagnostic Bundles.
Partner Super user and Admin with Gateway management access activated can create, manage,
and delete diagnostic bundles only for Gateway created by a Partner or a Partner managed
Gateway created by your Operator. The Partner IT support users can only view the generated
Diagnostic bundles and download the CSV file.
Note The Diagnostic bundles feature is not supported for Partner Business Specialist user.
1 In the new UI, click the Gateway Management tab and select Diagnostic Bundles in the left
navigation pane.
The Diagnostic Bundles page appears with the existing diagnostic bundles.
3 In the Request Diagnostic Bundle dialog, configure the following details and click Submit.
Table 17-1.
Field Description
Target Select the target Gateway from the drop-down list. The
data is collected from the selected Gateway.
Reason for Generation Optionally, you can enter your reason for generating
the bundle.
Core Limit Select a Core Limit value from the drop-down, which is
used to reduce the size of the uploaded bundle when
the Internet connectivity is experiencing issues.
Note The Request Diagnostic Bundle and Download Bundle options are available only for
Partners with Gateway management access activated. If the Gateway management access is
deactivated for a Partner, then the Partner can only view the generated Diagnostic bundles
and download only the CSV file, but cannot request a new Diagnostic bundle or download
the generated bundle. To request Gateway Management access, Partners should contact the
Operator Super user.
The Diagnostic Bundles page displays the details of the bundle being generated, along with the
status.
To search a specific diagnostic bundle, enter a relevant search text in the Search box. For
advanced search, click the filter icon next to the Search box to filter the results by specific
criteria.
To download a generated bundle, click the link next to Complete in the Request Status column or
select the bundle and click Download Bundle. The bundle is downloaded as a ZIP file.
You can send the downloaded bundle to a VMware Support representative for debugging the
data.
In the Update Cleanup Date dialog, choose the date on which the selected Bundle would be
deleted.
If you want to retain the Bundle, select the Keep Forever checkbox, so that the Bundle does not
get deleted automatically.
Partner Super user and Admin with Gateway management access activated can create, manage,
and delete Packet Capture (PCAP) bundles only for Gateway created by a Partner or a Partner
managed Gateway created by your Operator. The Partner IT support users can only view the
generated PCAP bundles and download the CSV file.
Note The Diagnostic bundles feature is not supported for Partner Business Specialist user.
1 In the new UI, click the Gateway Management tab and select Diagnostic Bundles in the left
navigation pane.
The Diagnostic Bundles page appears with the existing diagnostic bundles.
3 In the Request PCAP Bundle dialog, configure the following details and click Generate.
Field Description
Reason for Generation Optionally, you can enter your reason for generating
the bundle.
Field Description
PCAP Filters You can define PCAP filters by which you want to
control the PCAP data to be generated by choosing the
following options:
n IP1 - Enter an IPv4 address, or IPv6 address, or
Subnet mask.
n IP2 - Enter an IPv4 address, or IPv6 address, or
Subnet mask.
n IP1:Port1 - Enter a Port ID associated with IP1.
n IP2:Port2 - Enter a Port ID associated with IP2.
n Protocol - Select a protocol from the list.
Advanced Filters You can define free form filters by which you want to
control the PCAP data to be generated.
Note The Request Diagnostic Bundle and Request PCAP Bundle options are available
only for Partners with Gateway management access activated. If the Gateway management
access is deactivated for a Partner, then the Partner can only view the generated Diagnostic
bundles and download only the CSV file, but cannot request a new Diagnostic or PCAP
bundle or download the generated bundle. To request Gateway Management access,
Partners should contact the Operator Super user.
The Diagnostic Bundles page displays the details of the PCAP bundle being generated, along
with the status.
4 To download a generated bundle, click the link next to Complete in the Request Status
column or select the bundle and click Download Bundle. The bundle is downloaded as a ZIP
file.
5 The completed bundles get deleted automatically on the date displayed in the Cleanup Date
column. You can click the link to the Cleanup Date or choose the bundle and click More >
Update Cleanup Date to modify the Date.
This method eliminates the need of an activation link. Using this feature, the Service Provider can
preconfigure the Edges and have them shipped to the customers. The customers just need to
power-on the Edges and connect the cables to the internet to activate the Edges.
This method of Edge activation is also useful when the person at the remote site is unable to
connect a laptop/tablet/ phone to the SD-WAN Edge, and therefore cannot use an email or
cannot click an activation code/URL.
Note
n Zero Touch Provisioning supports Edge models: 510, 510 LTE, 6x0, and 3xx0.
n For Zero Touch Provisioning push activation to work, use the Orchestrator software version
4.3.0 or later.
As a Partner user, complete the following tasks to activate Edges using Zero Touch Provisioning:
Prerequisites
As a Partner user, ensure that you have a valid Partner Relationship Management Identifier (PRM
ID), received at the time of registering with VMware. If you do not have a valid PRM ID, contact
VMware Partner Connect. Outbound internet connectivity via DHCP is required to complete the
push activation successfully.
Procedure
2 Scroll down to the Zero Touch Provisioning Sign Up area, and then in the PRM ID field, enter
the Partner Relationship Management Identifier.
3 Click Submit.
Results
You can view the Edge inventory in the Pending Assignment tab only after the successful
validation of PRM ID. The validation process may take up to a maximum of 1 week. To view the
Edge inventory, go to Zero Touch Provisioning > Pending Assignment.
Note Only the Edges that were shipped to you after the successful completion of the sign-up
process appear in the Pending Assignment tab. Ensure that the PRM ID assigned to you is used
in all your future orders so that the inventory is reflected correctly.
What to do next
You must assign the Edges to customers and then assign profile and license to Edges. For
instructions, refer to Assign Edges to Customers.
Prerequisites
Ensure that you have signed-up for Zero Touch Provisioning so that you can view the list of
Edges in the Edge Inventory page. For instructions, refer to Sign-Up for Zero Touch Provisioning.
Procedure
1 Log in to SD-WAN Orchestrator, and then go to Zero Touch Provisioning > Pending
Assignment. A list of Edge inventory with Serial number and Model appears.
2 Select all the Edges that you want to assign to customers, and then click Actions > Assign To
Customer…. The Edge Inventory Assignment modal popup appears.
3 From the Customer drop-down list, select the customer to whom you want to assign the
Edges.
4 From the Profile and Edge License drop-down lists, select the required profile and license
that you want to assign to all Edges in the inventory.
You can choose to override these settings for a specific Edge by selecting the appropriate
profile and license in the table.
5 Click OK.
Results
The Edges for which you have assigned a customer, a profile and a license appears in the
Assigned tab. The Inventory State for the assigned Edges will be Assigned to Customer and the
Edge State will be Pending.
What to do next
When your customer powers-on the assigned physical Edges and connects them to the internet,
the Edges are redirected to the SD-WAN Orchestrator where they are automatically activated.
After an Edge is activated, the Edge State in the Assigned tab changes from Pending to
Activated.
If you choose to reassign an Edge that is already activated, you must deactivate the Edge, and
then reassign the Edge to another customer. For instructions about how to deactivate an Edge,
refer to Remote Actions. Once you deactivate the Edge, the Edge state changes to Offline. You
can now reassign the Edge to another customer.
Procedure
1 Log in to SD-WAN Orchestrator, and then go to Zero Touch Provisioning > Assigned.
2 Select the Edge that you want to reassign, and then click Actions > Reassign.... The Edge
Inventory Assignment modal popup appears.
3 From the Customer drop-down list, select the customer to whom you want to reassign the
Edge.
4 From the Profile and Edge License drop-down lists, select the required profile and license
that you want to assign to the Edge.
5 Click OK.
Results
Though the Edge is reassigned to the new customer, a corresponding entry would still be
available in the Configure > Edges page of the customer to whom the Edge was originally
assigned. Select the logical Edge entry, and then click Actions > Delete Edge to manually delete
the entry.
This method eliminates the need of an activation link. Using this feature, the Service Provider can
preconfigure the Edges and have them shipped to the customers. The customers just need to
power-on the Edges and connect the cables to the internet to activate the Edges.
This method of Edge activation is also useful when the person at the remote site is unable
to connect a laptop/tablet/phone to the SD-WAN Edge, and therefore cannot use an email or
cannot click an activation code/URL.
Note
n Edge Auto-activation supports Edge models: 510, 510 LTE, 6x0, and 3xx0.
n For Edge Auto-activation to work, use the Orchestrator software version 4.3.0 or later.
As a Partner user, complete the following tasks to activate Edges using Edge Auto-activation:
Prerequisites
n As a Partner user, ensure that you have a valid Partner Relationship Management Identifier
(PRM ID), received at the time of registering with VMware. If you do not have a valid PRM ID,
contact VMware Partner Connect.
n Outbound internet connectivity via DHCP is required to complete the push activation
successfully.
Procedure
1 Log in to SD-WAN Orchestrator, and then go to Edge Management > Edge Auto-activation.
3 Click Submit.
Note You are required to enter the PRM ID only when you login for the first time. You can
view the Edge inventory in the Available Inventory tab only after the successful validation of
PRM ID. The validation process may take up to 3 to 5 days. If you enter an incorrect PRM ID,
you must contact the customer support team to get it changed.
What to do next
Only the Edges that were shipped to you after the successful completion of the sign-up process
appear in the Available Inventory tab. Ensure that the PRM ID assigned to you is used in all
your future orders so that the inventory is reflected correctly. You must assign the Edges to
customers, and then assign profile and license to Edges. For instructions, refer to Assign Edges
to Customers with New Orchestrator UI.
Prerequisites
Ensure that you have signed-up for Edge Auto-activation so that you can view the list of Edges
in the Available Inventory page. For instructions, refer to Sign-Up for Edge Auto-activation with
New Orchestrator UI.
Procedure
1 Log in to SD-WAN Orchestrator, and then go to Edge Management > Edge Auto-activation.
A list of Edge inventory with Serial number and Model appears.
2 Select all the Edges that you want to assign to customers, and then click Assign To
Customer. The Edge Assignment window appears.
3 From the Customer drop-down list, select the customer to whom you want to assign the
Edges.
4 From the Profile and Edge License drop-down lists, select the required profile and license
that you want to assign to all Edges in the inventory.
Note You can choose to override these settings for a specific Edge by selecting the
appropriate profile and license in the table.
5 Click Assign.
The Edges for which you have assigned a customer, a profile and a license, appear in the
Assigned Inventory tab. The Inventory State for the assigned Edges is displayed as Assigned
to Customer and the Edge State is displayed as Pending.
6 Following are the additional options available on the Edge Auto-activation page:
Option Description
Columns Click this option and select the checkboxes to view the
required columns.
What to do next
When your customer powers-on the assigned physical Edges and connects them to the internet,
the Edges are redirected to the SD-WAN Orchestrator, where they are automatically activated.
After an Edge is activated, the Edge State in the Assigned Inventory tab changes from Pending
to Activated.
If you choose to reassign an Edge that is already activated, you must deactivate the Edge, and
then reassign the Edge to another customer. For instructions about how to deactivate an Edge,
refer to Remote Actions. Once you deactivate the Edge, the Edge state changes to Offline. You
can now reassign the Edge to another customer.
Procedure
1 Log in to SD-WAN Orchestrator, and then go to Edge Management > Edge Auto-activation.
Click Assigned Inventory tab.
2 Select the Edge that you want to reassign, and then click Reassign. The Edge Reassignment
window appears.
3 From the Customer drop-down list, select the customer to whom you want to reassign the
Edge.
4 From the Profile and Edge License drop-down lists, select the required profile and license
that you want to assign to the Edge.
5 Click Reassign.
Results
Though the Edge is reassigned to the new customer, a corresponding entry would still be
available in the Configure > Edges page of the customer to whom the Edge was originally
assigned. Select the logical Edge entry, and then click Delete to manually delete the entry.
Complete the following steps to activate Edges using the Email method:
1 Send an Activation Email. The administrator initiates the activation process by sending an
activation procedure email to the person that will install the Edge, typically a Site Contact. For
more information, refer to Send an Activation Email
2 Activate the Edge Device. The individual following the instructions in the activation procedure
email will activate the Edge device. For more information, refer to Activate an Edge Device.
2 Select the SD-WAN Edge you want to activate. The Edge Overview Tab window appears.
3 As an optional step, in the Properties area, enter the serial number of the SD-WAN Edge that
will be activated in the Serial Number text field. Serial numbers are case sensitive, so make
sure that “VC” is capitalized.
Note This step is optional. However, if specified, the serial number must match the activated
SD-WAN Edge.
4 Click the Send Activation Email button to send the activation email to the Site Contact.
5 The Send Activation Email pop-up window appears. It describes the steps for the Site
Contact to complete to activate the SD-WAN Edge device.
Note
n For the SD-WAN Edge 510 LTE device, the Activation Email consists of Cellular Settings
like SIM PIN, Network, APN, and User name.
n For the 610, 620, 640, 680, and 610 LTE devices with SFP that are configured with
ADSL2/VDSL2, the Activation Email consists of configuration settings like Profile, PVC,
VPC, and so on.
6 Click the Send button to send the activation procedure email to the Site Contact.
Note The above procedure sends the activation Email with IPv4 address in the activation
link. You can send the activation link with IPv4 or IPv6 or both addresses using the new
Orchestrator UI. See the "Send Edge Activation Email with new Orchestrator UI" section in the
VMware SD-WAN Administration Guide published at https://docs.vmware.com/en/VMware-SD-
WAN/index.html.
n If you configure the SD-WAN Edge 510 LTE device, you can run the “LTE Modem
Information” diagnostic test for troubleshooting purposes. The LTE Modem Information
diagnostic test will retrieve diagnostic information, such as signal strength, connection
information, etc..
n The DSL Status diagnostic test is available only for the 610, 620, 640, and 680 devices.
Running this test will show the DSL status, which includes information such as Mode
(Standard or DSL), Profile, xDSL Mode, and so on.
For information on how to run a diagnostic test, see the VMware SD-WAN Administration Guide.
1 Connect the Edge to a power source and insert any WAN link cables or USB modems for
Internet connectivity.
2 Connect a personal computer or mobile device (with access to the activation email) to your
Edge by one of two methods:
Note The connected personal computer or mobile device cannot directly access the public
internet through the Edge device until it is activated.
a Find and connect to the Wi-Fi network that looks like velocloud- followed by three more
letters/numbers (for example, velocloud-01c) with the password vcsecret.
Note Refer to the Wi-Fi SSID from the Edge device. The default Wi-Fi is vc-wifi. The
Edge activation email provides instructions for using one or more Wi-Fi connections.
b If the Edge is not Wi-Fi capable (for example, a 6x0N model or a 3x00 model), use an
Ethernet cable to connect to either an Ethernet-equipped computer or a mobile device
with an Ethernet adapter to one of the Edge’s LAN ports.
Note For more information about using either an iOS or Android mobile device with an
Ethernet adapter to activate an Edge, refer to the below sections:
During the Edge activation, the activation status screen appears on your connected device.
The Edge downloads the configuration and software from the SD-WAN Orchestrator and
reboots multiple times to apply the software update (If the Edge has a front LED status light,
that light would blink and change colors multiple times during the activation process).
Once the Edge activation process successfully completes, the Edge is ready for service (if
the Edge has a front LED status light, the light would show as solid green). Once an Edge is
activated, it is “useable” for routing network traffic. In addition, more advanced functions such as
monitoring, testing, and troubleshooting are also available.
Prerequisites
Note The example used here is an Edge 540 and an iPhone 12 Pro Max. You can use other Edge
and iPhone/iPad models too.
Procedure
1 Complete the Edge configuration on the Orchestrator software. For details, refer to the
Configure Edge Device section in the VMware SD-WAN Administration Guide.
2 Navigate to Configure > Edges > Edge Overview tab, and then click the Send Activation
Email button.
3 Enter the email address of the person activating the Edge, and then click Send.
4 Power up the Edge, and then connect it to an available internet connection using an Ethernet
cable.
Note Refer to Edge Activation Guides to check details of the model you are installing to
determine the correct port.
5 Connect an Ethernet adapter to your phone, and then connect the Edge’s LAN port to the
Ethernet adapter.
Note The Edge is configured by default to acquire a DHCP IP address from the ISP on the
WAN (uplink). The Edge also assigns a DHCP address to the phone connected to the LAN
port. When the WAN connection is fully operational, the cloud LED on the front of the Edge
turns green.
6 In your iOS device, go to Settings > Ethernet. Select the appropriate interface. Under the
IPv4 Address, select Configure IP as Automatic.
7 Open the activation email from your phone, and then click the activation link displayed at the
bottom of the screen to activate your Edge. The following screenshot is an example.
8 You can see the activation progress on your phone screen. Once complete, Activation
successful message is displayed.
Results
Prerequisites
Note The example used here is an Edge 610 and a Samsung Galaxy S10+ smartphone. You can
use other Edge and Android phone models too.
Procedure
1 Complete the Edge configuration on the Orchestrator software. For details, refer to the
Configure Edge Device section in the VMware SD-WAN Administration Guide.
2 Navigate to Configure > Edges > Edge Overview tab, and then click the Send Activation
Email button.
3 Enter the email address of the person activating the Edge, and then click Send.
4 Power up the Edge, and then connect it to an available internet connection using an Ethernet
cable.
Note Refer to Edge Activation Guides to check details of the model you are installing to
determine the correct port.
5 Connect an Ethernet adapter to your phone, and then connect the Edge’s LAN port to the
Ethernet adapter.
Note The Edge is configured by default to acquire a DHCP IP address from the ISP on the
WAN (uplink). The Edge also assigns a DHCP address to the phone connected to the LAN
port. When the WAN connection is fully operational, the cloud LED on the front of the Edge
turns green.
6 Open the activation email from your phone, and then click the activation link displayed at the
bottom of the screen to activate your Edge. The following screenshot is an example.
7 You can see the activation progress on your phone screen. Once complete, Activation
successful message is displayed.
Results
There are several scenarios that require an Edge RMA reactivation. Following are the two most
common scenarios:
n Replace an Edge due to a malfunction—A typical scenario that requires an Edge RMA
reactivation occurs when a malfunctioned Edge of the same model needs replacement. For
example, a customer needs to replace a 520 Edge model with another 520 Edge model.
n Upgrade an Edge hardware model—Another common scenario that requires an Edge RMA
reactivation is when you want to replace an Edge with a different model. Usually this is due to
a scaling issue in which you have outgrown the capacity of the current Edge.
You can initiate the RMA reactivation request using one of the following methods:
Procedure
2 Click the Edge that you want to replace. The Edge Overview page appears.
3 Scroll down to the RMA Reactivation area, and then click Request Reactivation to generate a
new activation key. The status of the Edge changes to Reactivation Pending mode.
Note The reactivation key is valid for one month only. When the key expires, a warning
message is displayed. To generate a new key, click Generate New Activation Key.
4 In the RMA Serial Number field, enter the serial number of the new Edge that is to be
activated.
5 From the RMA Model drop-down list, select the hardware model of the new Edge that is to
be activated.
Note If the Serial Number and the hardware model do not match the new Edge that is to be
activated, the activation fails.
6 Click Update.
The status of the new Edge changes to Reactivation Pending and the status of the old Edge
changes to RMA Requested. To view the Edge State, go to Administration > Zero Touch
Provisioning > Assigned.
b Connect the new Edge to the power and network. Ensure that the Edge is connected to
the Internet.
Results
The new Edge is redirected to the SD-WAN Orchestrator where it is automatically activated. The
status of the new Edge changes to Activated.
What to do next
Return the old Edge to VMware so that the logical entry for the old Edge with the state RMA
Requested gets removed from the Administration > Zero Touch Provisioning > Assigned page.
Prerequisites
Procedure
2 Click the Edge that you want to replace. The Edge Overview page appears.
3 Scroll down to the RMA Reactivation area, and then click Request Reactivation to generate a
new activation key. The status of the Edge changes to Reactivation Pending mode.
Note The reactivation key is valid for one month only. When the key expires, a warning
message is displayed. To generate a new key, click Generate New Activation Key.
4 Click Send Activation Email to initiate the Edge activation Email with instructions. The Email
consists of the instructions along with the activation URL. The URL displays the Activation key
and the IP address of the SD-WAN Orchestrator.
b Connect the new Edge to the power and network. Ensure that the Edge is connected to
the Internet.
c Follow the activation instructions in the email. Click the activation link in the email to
activate the Edge.
Results
The Edge downloads the configuration and software from the SD-WAN Orchestrator and gets
activated.
What to do next
n Installation Overview
n Post-Installation Tasks
n Custom Configurations
n SNMP Integration
Installation Overview
This section provides an overview of VMware Partner Gateway installation.
n One interface is facing the private and/or public WAN network and is dedicated to receiving
VCMP encapsulated traffic from the remote edges, as well as standard IPsec traffic from Non
SD-WAN Destinations.
n Another interface is facing the datacenter and provides access to resources or networks
attached to a PE router, which the Partner Gateway is connected to. The PE router typically
affords access to shared managed services that are extended to the branches, or access to a
private (MPLS / IP-VPN) core network in which individual customers are separated.
n CPU: Intel XEON (10 cores minimum to run a single 8-core gateway VM) with minimum clock
speed of 2.0 Ghz is required to achieve maximum performance.
n ESXi vmxnet3 network scheduling functions must have 2 cores reserved per Gateway
virtual machine (VM), regardless of the number of cores assigned to the Gateway.
n Example: Assume there is a 24-core server running ESXi+vmxnet3. You can deploy 2
- (8 core) Gateways. i.e. 2 gateways multiplied by 8 cores requires 16 cores reserved
for gateway application and leaves 8 free cores. By using the formula above, in order
to support these two Gateways running at peak performance scale the ESXi/vmxnet3
system requires an additional 4 cores (two cores for each of the two Gateways
deployed). That is a total of 20 cores required to run 2 gateways on a 24 core system.
Note When using SR-IOV, the network scheduling function is offloaded to the pNIC
to achieve higher performance. However, the hypervisor must still perform other
scheduling functions like CPU, memory, NUMA allocation management. It is required
to always keep two free cores for hypervisor usage.
n The CPU must support and enable the following instruction sets: AES-NI, SSSE3, SSE4,
RDTSC, RDSEED, RDRAND, AVX/AVX2/AVX512.
n A minimum of 4GB free RAM must be available to the server system aside from the memory
assigned to the PGW VMs. One Gateway VM requires 16GB RAM, or 32GB RAM if certificate-
based authentication is enabled.
n Minimum of 150GB magnetic or SSD based, persistent disk volume (One Gateway VM
requires 64GB or 96GB Disk Volume, if certificate-based authentication is enabled).
n Minimum 1x10Ge network interface ports and 2 ports is preferred when enabling the Gateway
partner hand-off interface (1Ge NICs are supported, but will bottleneck performance).
The physical NIC cards supporting SR-IOV are Intel 82599/82599ES and Intel X710/XL710
chipsets. (See the ‘Enable SR-IOV’ guide).
Note SR-IOV does not support NIC bonding. For redundant uplinks, use ESXi vSwitch.
n VMware SD-WAN Gateway is a data-plane intensive workload that requires dedicated CPU
cycles to ensure optimal performance and reliability. Meeting these defined settings are
required to ensure the Gateway VM is not oversubscribing the underlying hardware and
causing actions that can destabilize the Gateway service (e.g. NUMA boundary crossing,
memory, and/or vCPU oversubscription).
n Ensure that the SD-WAN Partner Gateway VM and the resources used to support it fit within
a NUMA node.
n When possible, strive for complete vertical alignment between network interfaces, memory,
physical CPUs, and virtual machines to a single NUMA node.
- AES-NI - Enabled
Dual Port Intel Corporation Ethernet Controller 7.0 2.10.19.30 1.8.6 and 1.10.9.0
XL710 for 40GbE QSFP+
Dual Port Intel Corporation Ethernet Controller 7.0 2.10.19.30 1.8.6 and 1.10.9.0
X710 for 10GbE SFP+
Quad Port Intel Corporation Ethernet 7.0 2.10.19.30 1.8.6 and 1.10.9.0
Controller X710 for 10GbE SFP+
Dell rNDC X710/350 card nvm 7.10 and FW 2.10.19.30 1.8.6 and 1.10.9.0
19.0.12
VMware n Intel 82599/82599ES - ESXi 6.7 U3 up to ESXi 7.0. To use SR-IOV, the vCenter and the vSphere
Enterprise Plus license are required.
n Intel X710/XL710 - ESXi 6.7 with VMware vSphere Web Client 6.7.0 up to ESXi 7.0 with VMware
vSphere Web Client 7.0.
KVM n Intel 82599/82599ES - Ubuntu 16.04 LTS and Ubuntu 18.04 LTS
n Intel X710/XL710 - Ubuntu 16.04 LTS and Ubuntu 18.04 LTS
Important The installation of Intel i40e host driver version 2.10.19.30 on an Ubuntu 18.04 LTS
server may result in compilation errors. Should this occur, the customer is advised to patch the
host driver.
1 To find a virtual machine, select a data center, folder, cluster, resource pool, or
host.
e Click OK.
Important All vCPU cores should be mapped to the same socket with the Cores per
Socket parameter set to either 8 with 8 vCPUs, or 4 where 4 vCPUs are used.
b Right-click a virtual machine from the list and select Edit settings from the pop-up
menu.
c On the Virtual Hardware tab, expand CPU, and allocate CPU capacity for the
virtual machine.
Option Description
2 Choose the Options tab and click Advanced General >Configuration Parameters .
3 Add entries for numa.nodeAffinity=0, 1, ..., where 0 and 1 are the processor socket
numbers.
n vNIC must be of type 'vmxnet3' (or SR-IOV, see SR-IOV section for support details).
n The First vNIC is the public (outside) interface, which must be an untagged interface.
n The Second vNIC is optional and acts as the private (inside) interface that can support
VLAN tagging dot1q and Q-in-Q. This interface typically faces the PE router or L3
switch.
Note VMware uses the above defined settings to obtain scale and performance
numbers. Settings that do not align to the above requirements are not tested by VMware
and can yield unpredictable performance and scale results
n If using KVM:
n vNIC must be of 'Linux Bridge' type. (SR-IOV is required for high performance, see SR-IOV
section for support details).
Important All vCPU cores should be mapped to the same socket with the Cores per
Socket parameter set to either 8 with 8 vCPUs, or 4 where 4 vCPUs are used.
n 16GB of memory (32GB RAM is required when enabling certificate- based authentication)
n The First vNIC is the public (outside) interface, which must be an untagged interface.
n The Second vNIC is optional and acts as the private (inside) interface that can support
VLAN tagging dot1q and Q-in-Q. This interface typically faces the PE router or L3
switch.
Firewall/NAT Requirements
Note These requirements apply if the SD-WAN Gateway is deployed behind a Firewall and/or
NAT device.
n The firewall needs to allow outbound traffic from the SD-WAN Gateway to TCP/443 (for
communication with SD-WAN Orchestrator).
n The firewall needs to allow inbound traffic from the Internet to UDP/2426 (VCMP), UDP/
4500, and UDP/500. If NAT is not used, then the firewall needs to also allow IP/50 (ESP).
n If NAT is used, the above ports must be translated to an externally reachable IP address. Both
the 1:1 NAT and port translations are supported.
Note For more information, refer to the VMware SD-WAN Performance and Scale Datasheet
published at the Partner Connect Portal. To access the datasheet, you must log into the Partner
Connect Portal using your Partner credentials (username and password).
On VMware hosted Gateways and Partner Gateways, DPDK is used on interfaces that manage
data plane traffic and is not used on interfaces reserved for management plane traffic. For
example, on a typical VMware hosted Gateway, eth0 is used for management plane traffic and
would not use DPDK. In contrast, eth1, eth2, and eth3 are used for data plane traffic and use
DPDK.
1 Create SD-WAN Gateway on SD-WAN Orchestrator and make a note of the activation key.
5 Boot the SD-WAN Gateway VM and ensure the SD-WAN Gateway cloud-init initializes
properly. At this stage, the SD-WAN Gateway should already activate itself against the SD-
WAN Orchestrator.
Important
n SD-WAN Gateway supports both the virtual switch and SR-IOV. This guide specifies the
SR-IOV as an optional configuration step.
Pre-Installation Considerations
The VMware Partner Gateway provides different configuration options. A worksheet should be
prepared before the installation of the Gateway.
Worksheet
SD-WAN Gateway n Version
n OVA/QCOW2 file location
n Activation Key
n SD-WAN Orchestrator (IP ADDRESS/vco-fqdn-hostname)
n Hostname
Installation Selections DPDK—This is optional and enabled by default for higher throughput. If you choose to
deactivate DPDK, contact VMware Customer Support.
2 Go to Operator > Gateway and create a new gateway and assign it to the pool. The IP
address of the gateway entered here must match the public IP address of the gateway. If
unsure, you can run curl ipinfo.io/ip from the SD-WAN Gateway which will return the
public IP of the SD-WAN Gateway.
There are additional parameters that can be configured. The most common are the following:
n Advertise 0.0.0.0/0 with no encrypt – This option will enable the Partner Gateway to
advertise a path to Cloud traffic for the SAAS Application. Since the Encrypt Flag is off, it
will be up to the customer configuration on the business policy to use this path or not.
n The second recommend option is to advertise the SD-WAN Orchestrator IP as a /32 with
encrypt.
This will force the traffic that is sent from the Edge to the SD-WAN Orchestrator to take
the Gateway Path. This is recommended since it introduces predictability to the behavior
that the SD-WAN Edge takes to reach the SD-WAN Orchestrator.
Networking
Important The following procedure and screenshots focus on the most common deployment,
which is the 2-ARM installation for the Gateway. The addition of an OAM network is considered in
the section titled, OAM Interface and Static Routes.
The diagram above is a representation of the SD-WAN Gateway in a 2-ARM deployment. In this
example, we assume eth0 is the interface facing the public network (Internet) and eth1 is the
interface facing the internal network (handoff or VRF interface).
Note A Management VRF is created on the SD-WAN Gateway and is used to send a periodic
ARP refresh to the default gateway IP to check that the handoff interface is physically up and
speed ups the failover time. It is recommended that a dedicated VRF is set up on the PE router
for this purpose. Optionally, the same management VRF can also be used by the PE router to
send an IP SLA probe to the SD-WAN Gateway to check for SD-WAN Gateway status (SD-WAN
Gateway has a stateful ICMP responder that will respond to ping only when its service is up).If
a dedicated Management VRF is not set up, then you can use one of the customer VRFs as a
Management VRF, although this is not recommended.
For the Internet Facing network, you only need the basic network configuration.
For the Handoff interface, you must know which type of handoff you want to configure and the
Handoff configuration for the Management VRF.
Console Access
Console access n Console_Password
n SSH:
n Enabled (yes/no)
n SSH public key
In order to access the Gateway, a console password and/or an SSH public key must be created.
Cloud-Init Creation
The configuration options for the gateway that we defined in the worksheet are used in the
cloud-init configuration. The cloud-init config is composed of two main configuration files, the
metadata file and the user-data file. The meta-data contains the network configuration for the
Gateway, and the user-data contains the Gateway Software configuration. This file provides
information that identifies the instance of the SD-WAN Gateway being installed.
Below are the templates for both meta_data and user_data files. Network-config can be omitted
and network interfaces will be configured via DHCP by default.
Fill the templates with the information in the worksheet. All #_VARIABLE_# must be replaced,
and check any #ACTION#
Important The template assumes you are using static configuration for the interfaces. It also
assumes that you are either using SR-IOV for all interfaces or none. For more information, see
OAM - SR-IOV with vmxnet3 or SR-IOV with VIRTIO.
meta-data file:
instance-id: #_Hostname_#
local-hostname: #_Hostname_#
Note The network-config examples below describe configuring the virtual machine with two
network interfaces, eth0 and eth1, with static IP addresses. eth0 is the primary interface with a
default route and a metric of 1. eth1 is the secondary interface with a default route and a metric of
13. The system will be configured with password authentication for the default user (vcadmin). In
addition, the SSH authorized key will be added for the vcadmin user. The SD-WAN Gateway will
be automatically activated to the SD-WAN Orchestrator with the provided activation_code.
version: 2
ethernets:
eth0:
addresses:
- #_IPv4_Address_/mask#
gateway4: #_IPv4_Gateway_#
nameservers:
addresses:
- #_DNS_server_primary_#
- #_DNS_server_secondary_#
search: []
routes:
- to: 0.0.0.0/0
via: #_IPv4_Gateway_#
metric: 1
eth1:
addresses:
- #_MGMT_IPv4_Address_/Mask#
gateway4: 192.168.152.1
nameservers:
addresses:
- #_DNS_server_primary_#
- #_DNS_server_secondary_#
search: []
routes:
- to: 0.0.0.0/0
via: #_MGMT_IPv4_Gateway_#
metric: 13
user-data file:
#cloud-config
hostname: #_Hostname_#
password: #_Console_Password_#
chpasswd: {expire: False}
ssh_pwauth: True
ssh_authorized_keys:
- #_SSH_public_Key_#
velocloud:
vcg:
vco: #_VCO_#
activation_code: #_Activation_Key#
vco_ignore_cert_errors: false
The default username for the password that is configured in the user-data file is 'vcadmin'. Use
this default username to login to the SD-WAN Gateway for the first time.
genisoimage -output vcg01-cidata.iso -volid cidata -joliet -rock user-data meta-data network-
config
This ISO file which we will call #CLOUD_INIT_ISO_FILE# is going to be used in both OVA and
VMware installations.
Prerequisites
KVM provides multiple ways to provide networking to virtual machines. VMware recommends the
following options:
n SR-IOV
n Linux Bridge
n OpenVSwitch Bridge
If you decide to use SR-IOV mode, enable SR-IOV on KVM and VMware. For steps, see:
Prerequisites
This requires a specific NIC card. The following chipsets are certified by VMware to work with the
SD-WAN Gateway.
n Intel 82599/82599ES
n Intel X710/XL710
Note Before using the Intel X710/XL710 cards in SR-IOV mode on VMware, make sure the
supported Firmware and Driver versions described in the Deployment Prerequisites section are
installed correctly.
1 Make sure that your NIC card supports SR-IOV. Check the VMware Hardware
Compatibility List (HCL) at https://www.vmware.com/resources/compatibility/search.php?
deviceCategory=io
Features: SR-IOV
The following VMware KB article provides details of how to enable SR-IOV on the supported
NIC: https://kb.vmware.com/s/article/2038739
2 Once you have a support NIC card, go to the specific VMware host, select the Configure tab,
and then choose Physical adapters.
3 Select Edit Settings. Change Status to Enabled and specify the number of virtual functions
required. This number varies by the type of NIC card.
5 If SR-IOV is successfully enabled, the number of Virtual Functions (VFs) will show under the
particular NIC after ESXi reboots.
Note This deployment is tested on ESXi versions 6.7, 6.7U3, and 7.0.
Important When you are done with the OVA installation, do not start the VM until you have the
cloud-init iso file and mount as CD-ROM to the SD-WAN Gateway VM. Otherwise, you will need
to re-deploy the VM again.
If you decide to use SR-IOV mode, then you can optionally enable SR-IOV on VMware. To enable
the SR-IOV on VMware, see Enable SR-IOV on VMware.
1 Select the ESXi host, go to Actions, and then Deploy OVF Template. Select the SD-WAN
Gateway OVA file provided by VMware and click Next.
Review the template details in Step 4 (Review details) of the Deploy OVA/OVF Template
wizard as shown in the image below.
2 For the Select networks step, the OVA comes with two pre-defined networks (vNICs).
vNIC Description
Inside This is the vNIC facing the PE router and is used for handoff traffic to the MPLS PE or L3 switch.
This vNIC is normally bound to a port group that does a VLAN pass-through (VLAN=4095 in vswitch
configuration).
Outside This is the vNIC facing the Internet. This vNIC expects a non-tagged L2 frame and is normally bound to a
different port group from the Inside vNIC.
3 For the Customize template step, do not change anything. This is when you use vApp to
configure the VM. We will not use vApp in this example. Click Next to continue with deploying
the OVA.
4 Once the VM is successfully deployed, return to the VM and click Edit Settings . Two vNICs
are created with adapter type = vmxnet3.
5 (Optional for SR-IOV) This step is required only if you plan to use SR-IOV. Because the OVA
by default creates the two vNICs as vmxnet3, we will need to remove the two vNICs and
re-add them as SR-IOV.
When adding the two new SR-IOV vNICs, use the same port group as the original two
vmxnet3 vNICs. Make sure the Adapter Type is SR-IOV passthrough. Select the correct
physical port to use and set the Guest OS MTU Change to Allow. After you add the two
vNICs, click OK.
7 Refer to Cloud-init Creation. The Cloud-init file is packaged as a CD-ROM (iso) file. You need
to mount this file as a CD-ROM.
Prerequisites
This requires a specific NIC card. The following chipsets are certified by VMware to work with the
SD-WAN Gateway and SD-WAN Edge.
n Intel 82599/82599ES
n Intel X710/XL710
Note Before using the Intel X710/XL710 cards in SR-IOV mode on KVM, make sure the
supported Firmware and Driver versions specified in the Deployment Prerequisites section are
installed correctly.
Note SR-IOV mode is not supported if the KVM Virtual Edge is deployed with a High-Availability
topology. For High-Availability deployments, ensure that SR-IOV is not enabled for that KVM
Edge pair.
1 Enable SR-IOV in BIOS. This will be dependent on your BIOS. Login to the BIOS console and
look for SR-IOV Support/DMA. You can verify support on the prompt by checking that Intel
has the correct CPU flag.
GRUB_CMDLINE_LINUX="intel_iommu=on"
b Reboot
3 If the ixgbe config file does not exist, you must create the file as follows.
3 To make the VFs persistent after a reboot, add the command from the previous step
to the "/etc/rc.d/rc.local" file.
01:10.0 Ethernet controller: Intel Corporation 82599 Ethernet Controller Virtual Function(rev
01)
Pre-Installation Considerations
KVM provides multiple ways to provide networking to virtual machines. The networking in
libvirt should be provisioned before the VM configuration. There are multiple ways to configure
networking in KVM. For a full configuration of options on how to configure Networks on libvirt,
see the following link:
https://libvirt.org/formatnetwork.html
From the full list of options, VMware recommends the following modes:
n SR-IOV (This mode is required for the SD-WAN Gateway to deliver the maximum throughput
specified by VMware)
n OpenVSwitch Bridge
If you decide to use SR-IOV mode, enable SR-IOV on KVM. To enable the SR-IOV on KVM, see
Enable SR-IOV on KVM.
2 Create the Network interfaces that you are going to use for the device.
Using SR-IOV: The following is a sample network interface template specific to Intel X710/
XL710 NIC cards using SR-IOV.
Using OpenVSwitch: The following are the sample templates of a network interface using
OpenVSwitch.
git ./vcg/templates/KVM_NETWORKING_SAMPLES/template_outside_openvswitch.xml
git ./vcg/templates/KVM_NETWORKING_SAMPLES/template_inside_openvswitch.xml
<network>
<name>inside_interface</name> <!--This is the network name-->
<model type='virtio'/>
<forward mode="bridge"/>
<bridge name="insideinterface"/>
<virtualport type='openvswitch'></virtualport>
<vlan trunk='yes'></vlan>
<tag id='200'/> <!—Define all the VLANS for this Bridge -->
<tag id='201'/> <!—Define all the VLANS for this Bridge -->
<tag id='202'/> <!—Define all the VLANS for this Bridge -->
</network>
If you are using OpenVSwitch mode, then you have to verify if the basic networks are
created and active before launching the VM.
Note This validation step is not applicable for SR-IOV mode as you do not create any
network before the VM is launched.
3 Edit the VM XML file. There are multiple ways to create a Virtual Machine in KVM. You can
define the VM in an XML file and create it using libvirt, using the sample VM XML template
specific to OpenVSwitch mode and SR-IOV mode.
vi my_vm.xml
The following is a sample template of a VM which uses OpenVSwitch interfaces. Use this
template by making edits, wherever applicable.
The following is a sample template of a VM which uses SR-IOV interfaces. Use this template
by making edits, wherever applicable.
a Ensure you have the following three files in your directory as shown in the following
sample screenshot:
n cloud-init - vcg-test.iso
n Domain XML file that defines the VM - test_vcg.xml, where test_vcg is the domain
name.)
b Define VM.
c Set VM to autostart.
d Start VM.
5 If you are using SR-IOV mode, after launching the VM, set the following on the Virtual
Functions (VFs) used:
Note The Virtual Functions configuration step is not applicable for OpenVSwitch (OVS)
mode.
virsh list
Id Name State
----------------------------------------------------
25 test_vcg running
velocloud@KVMperf2$ virsh console 25
Connected to domain test_vcg
Escape character is ^]
n Deactivate GRO (Generic Receive Offload) on physical interfaces (to avoid unnecessary re-
fragmentation in SD-WAN Gateway).
n Deactivate CPU C-states (power states affect real-time performance). Typically, this can be
done as part of kernel boot options by appending processor.max_cstate=1 or just deactivate
in the BIOS.
Post-Installation Tasks
This section describes post-installation and installation verification steps.
If everything worked as expected in the installation, you can now login to the VM.
1 If everything works as expected, you should see the login prompt on the console. You should
see the prompt name as specified in cloud-init.
2 You can also refer to /run/cloud-init/result.json. If you see the message below, it is
likely that the cloud init runs successfully.
Note If you have deployed OVA on VMware vSphere with vAPP properties, you must
deactivate cloud-init prior to upgrading to versions 4.0.1 or 4.1.0. This is to ensure that the
customization settings such as network configuration or password are not lost during the
upgrade.
touch /etc/cloud/cloud-init.disabled
9 Verify that the Edge is able to establish a tunnel with the Gateway on the Internet side. From
the VMware SD-WAN Orchestrator, go to Monitor > Edges > Overview.
From the VMware SD-WAN Orchestrator, go to Test & Troubleshoot > Remote Diagnostics >
[Edge] > List Paths, and click Run to view the list of active paths.
network:
version: 2
ethernets:
eth0:
addresses:
- 192.168.151.253/24
gateway4: 192.168.151.1
nameservers:
addresses:
- 8.8.8.8
- 8.8.4.4
search: []
routes:
- to: 192.168.0.0/16
via: 192.168.151.254
metric: 100
eth1:
addresses:
- 192.168.152.251/24
gateway4: 192.168.152.1
nameservers:
addresses:
- 8.8.8.8
search: []
In the example featuring figure below (VRF/VLAN Hand Off to PE), we assume eth0 is the
interface facing the public network (Internet) and eth1 is the interface facing the internal network
(customer VRF through the PE).BGP peering configuration is managed on the VCO on a per
customer/VRF basis under “Configure > Customer”. Note that the IP address of each VRF is
configurable per customer. The IP address of the management VRF inherits the IP address
configured on the SD-WAN Gateway interface in Linux.
A management VRF is created on the SD-WAN Gateway and is used to send periodic ARP
refresh to the default Gateway IP to determine the next-hop MAC. It is recommended that a
dedicated VRF is set up on the PE router for this purpose. The same management VRF can also
be used by the PE router to send IP SLA probe to the SD-WAN Gateway to check for SD-WAN
Gateway status (SD-WAN Gateway has stateful ICMP responder that will respond to ping only
when its service is up). BGP Peering is not required on the Management VRF. If a Management
VRF is not set up, then you can use one of the customer VRFs as Management VRF, although this
is not recommended.
Step 1: Edit the /etc/config/gatewayd and specify the correct VCMP and WAN interface. VCMP
interface is the public interface that terminates the overlay tunnels. The WAN interface in this
context is the handoff interface.
"vcmp.interfaces":[
"eth0"
],
(..snip..)
"wan": [
"eth1"
],
Step 2: Configure the Management VRF. This VRF is used by the SD-WAN Gateway to ARP
for next-hop MAC (PE router). The same next-hop MAC will be used by all the VRFs created
by the SD-WAN Gateway. You need to configure the Management VRF parameter in /etc/config/
gatewayd.
The Management VRF is the same VRF used by the PE router to send IP SLA probe to. The
SD-WAN Gateway only responds to the ICMP probe if the service is up and if there are edges
connected to it. Below table explains each parameter that needs to be defined. This example has
Management VRF on the 802.1q VLAN ID of 1000.
"vrf_vlan": {
"tag_info": [
{
"resp_mode": 0,
"proxy_arp": 0,
"c_tag": 1000,
"mode": "802.1Q",
"interface": "eth1",
"s_tag": 0
}
]
},
Step 3: Edit the /etc/config/gatewayd-tunnel to include both interfaces in the wan parameter.
Save the change.
wan="eth0 eth1"
By default, the SD-WAN Gateway blocks traffic to 10.0.0.0/8 and 172.16.0.0/14. We will need to
remove them before using this SD-WAN Gateway because we expect SD-WAN Gateway to be
sending traffic to private subnets as well. If you do not edit this file, when you try to send traffic
to blocked subnets, you will find the following messages in /var/log/gwd.log
Step 1: On SD-WAN Gateway, edit /opt/vc/etc/vc_blocked_subnets.jsonfile. You will find that this
file first has the following.
[
{
"network_addr": "10.0.0.0",
"subnet_mask": "255.0.0.0"
},
{
"network_addr": "172.16.0.0",
"subnet_mask": "255.255.0.0"
}
]
Step 2: Remove the two networks. The file should look like below after editing. Save the change.
[
]
Important: This procedure will not work for upgrading a Gateway image version from 3.x to
4.x due to a significant platform changes. Upgrading from a 3.x to 4.x image will require a new
Gateway deployment and reactivation. Please refer to Chapter 23 VMware Partner Gateway
Upgrade and Migration 3.3.2 or 3.4 to 4.0for upgrade information.
Note Currently, VMware does not support downgrading for the VMware SD-WAN Orchestrator
and VMware SD-WAN Gateway. So before upgrading the SD-WAN Orchestrator or SD-WAN
Gateway, VMware recommends you backup the system prior to upgrade for easy recovery in
the event the upgrade is not successfully completed.
Prior to upgrading to a newer version of the software, make sure the public key exists to verify
the package. The known public key location to verify signature is as follows, /var/lib/velocloud/
software_update/keys/software.key. Alternatively, the key can be provided on the command line
using --pubkey parameter.
If the key is missing or the signature cannot be verified, the Operator will be notified that the
package is untrusted with an option to proceed or not proceed.
If running in batch mode or not on the terminal, the installation is aborted unless the "--untrusted"
option is specified on the command line.
By default, the installer will run in interactive mode and may issue prompts. For automated
scripts, use --batch parameter to suppress prompts.
Upgrade Procedures
2 Upload the image to the SD-WAN Gateway system (using, for example, the scp command).
Copy the image to the following location on the system:
/var/lib/velocloud/software_update/vcg_update.tar
sudo /opt/vc/bin/vcg_software_update
Custom Configurations
This section describes custom configurations.
NTP Configuration
NTP configuration involves editing the /etc/ntpd.conf file.
VMware: If a dedicated VNIC for Management/OAM is desired, add another vNIC of type
vmxnet3. You must repeat the previous step, which is to click OK and then Edit Settings
again so you can make a note of the vNIC MAC address.
KVM: If a dedicated VNIC for Management/OAM is desired, make sure you have a libvirt
network named oam-network. Then add the following lines to your XML VM structure:
…..
</controller>
<interface type='network'>
<source network='public_interface'/>
<vlan><tag id='#public_vlan#'/></vlan>
<alias name='hostdev1'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x11' function='0x0'/>
</interface>
<interface type='network'>
<source network='inside_interface'/>
<alias name='hostdev2'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x12' function='0x0'/>
</interface>
<interface type='network'>
<source network='oam_interface'/>
<vlan><tag id='#oam_vlan#'/></vlan>
<alias name='hostdev2'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x13' function='0x0'/>
</interface>
<serial type='pty'>
<source path='/dev/pts/3'/>
<target port='0'/>
<alias name='serial0'/>
</serial>
version: 2
ethernets:
eth0:
addresses:
- #_IPv4_Address_/mask#
mac_address: #_mac_Address_#
gateway4: #_IPv4_Gateway_#
nameservers:
addresses:
- #_DNS_server_primary_#
- #_DNS_server_secondary_#
search: []
routes:
- to: 0.0.0.0/0
via: #_IPv4_Gateway_#
metric: 1
eth1:
addresses:
- #_MGMT_IPv4_Address_/Mask#
mac_address: #_MGMT_mac_Address_#
nameservers:
addresses:
- #_DNS_server_primary_#
- #_DNS_server_secondary_#
search: []
routes:
- to: 0.0.0.0/0
via: #_MGMT_IPv4_Gateway_#
metric: 13
eth2:
addresses:
- #_OAM_IPv4_Address_/Mask#
nameservers:
addresses:
- #_DNS_server_primary_#
- #_DNS_server_secondary_#
search: []
routes:
- to: 10.0.0.0/8
via: #_OAM_IPv4_Gateway_#
- to: 192.168.0.0/16
via: #_OAM_IPv4_Gateway_#
VMWare: After creating the machine, go to Edit Settings and copy the Mac address.
Assuming a Management VRF is configured with S-Tag: 20 and C-Tag: 100, edit the vrf_vlan
section in / etc/ config/ gatewayd as follows. Also, define resp_mode to 1 so that the SD-WAN
Gateway will relax its check to allow Ethernet frames that have incorrect EtherType of 0x8100 in
the outer header.
SNMP Integration
This section describes how to configure SNMP integration.
For more information on SNMP configuration, see Net-SNMP documentation. To configure SNMP
integration:
1 Edit /etc/snmp/snmpd.conf.
2 Add the following lines to the config file with source IP address of the systems that will be
connecting to SNMP service. You can configure using either SNMPv2c or SNMPv3.
n The following example will configure access to all counters from localhost via community
string vc-vcg and from 10.0.0.0/8 with community string myentprisecommunity using
SNMPv2c version.
agentAddress udp:161
# com2sec sec.name source community
com2sec local localhost vc-vcg
com2sec myenterprise 10.0.0.0/8 myentprisecommunity# group access.name sec.model
sec.name
group rogroup v2c local
group rogroup v2c myenterpriseview all included .1 80
# access access.name context sec.model sec.level match read write notif
access rogroup "" any noauth exact all none none#sysLocation Sitting on the Dock of
the Bay
#sysContact Me <[email protected]>sysServices 72master agentx#
# Process Monitoring
## At least one 'gwd' process
proc gwd
# At least one 'mgd' process
proc mgd#
# Disk Monitoring
#
# 100MBs required on root disk, 5% free on /var, 10% free on all other disks
disk / 100000
disk /var 5%
includeAllDisks 10%#
# System Load
#
# Unacceptable 1-, 5-, and 15-minute load averages
load 12 10 5
Note In the above example, the process gwd comprises entire Data and Control Plane
of the Gateway. The Management Plane Daemon (mgd) is responsible for communication
with the Orchestrator. This process is kept isolated from gwd so that in the incident of
a total failure of the gwd process, the Orchestrator is still reachable for configuration
changes or software updates required to resolve the failure.
#
# AGENT BEHAVIOUR
#
###############################################################################
#
# SNMPv3 AUTHENTICATION
#
# Note that these particular settings don't actually belong here.
# They should be copied to the file /var/lib/snmp/snmpd.conf
# and the passwords changed, before being uncommented in that file *only*.
# Then restart the agent
# createUser authOnlyUser MD5 "remember to change this password"
# createUser authPrivUser SHA "remember to change this one too" DES
# createUser internalUser MD5 "this is only ever used internally, but still change
the password"
###############################################################################
#
# ACCESS CONTROL
#
requirements
###############################################################################
#
# SYSTEM INFORMATION
#
# Note that setting these values here, results in the corresponding MIB objects being
'read-only'
# See snmpd.conf(5) for more details
sysLocation Bay
sysContact [email protected]
# Application + End-to-End layers
sysServices 72
#
# Process Monitoring
#
# At least one 'mountd' process
proc mountd
#
# Disk Monitoring
#
# 10MBs required on root disk, 5% free on /var, 10% free on all other disks
disk / 10000
disk /var 5%
includeAllDisks 10%
#
# System Load
#
# Unacceptable 1-, 5-, and 15-minute load averages
load 12 10 5
###############################################################################
#
# ACTIVE MONITORING
#
# send SNMPv1 traps
trapsink localhost public
# send SNMPv2c traps
trap2sink localhost public
# send SNMPv2c INFORMs
informsink localhost public
# Note that you typically only want *one* of these three lines
# Uncommenting two (or all three) will result in multiple copies of each notification.
#
# Event MIB - automatically generate alerts
#
# Remember to activate the 'createUser' lines above
iquerySecName internalUser
rouser internalUser
# generate traps on UCD error conditions
defaultMonitors yes
# generate traps on linkUp/Down
linkUpDownNotifications yes
###############################################################################
#
# EXTENDING THE AGENT
#
# Arbitrary extension commands
#
extend test1 /bin/echo Hello, world!
extend-sh test2 echo Hello, world! ; echo Hi there ; exit 35
#extend-sh test3 /bin/sh /tmp/shtest
# Note that this last entry requires the script '/tmp/shtest' to be created first,
# containing the same three shell commands, before the line is uncommented
# Note that the "extend" directive supercedes the previous "exec" and "sh" directives
# However, walking the UCD-SNMP-MIB::extTable should still returns the same output,
# as well as the fuller results in the above tables.
#
# "Pass-through" MIB extension command
#
#pass .1.3.6.1.4.1.8072.2.255 /bin/sh PREFIX/local/passtest
#pass .1.3.6.1.4.1.8072.2.255 /usr/bin/perl PREFIX/local/passtest.pl
# Note that this requires one of the two 'passtest' scripts to be installed first,
# before the appropriate line is uncommented.
# These scripts can be found in the 'local' directory of the source distribution,
# and are not installed automatically.
#
# AgentX Sub-agents
#
# Run as an AgentX master agent
master agentx
# Listen for network connections (from localhost)
# rather than the default named socket /var/agentx/master
3 Edit /etc/iptables/rules.v4. Add the following lines to the config with the source IP of
the systems that will be connecting to SNMP service:
Important Add only targeted rules for addresses and ports. Do not add blanket drop or
accept rules. SD-WAN Gateway will append its own rules to the table and, because the rules
are evaluated in order, that may prevent Gateway software from functioning properly.
*filter
:INPUT ACCEPT [0:0]
-A INPUT -p udp -m udp --source 127.0.0.1 --dport 161 -m comment --comment "allow SNMP port"
-j ACCEPT
The SD-WAN Gateway appliance includes the following changes in the 4.0 release:
n A new system disk layout based on LVM to allow more flexibility in volume management
The SD-WAN Gateway appliance includes the following system changes in the 4.0 release:
n Substantial changes to cloud-init. Cloud-init deployment scripts must be reviewed and tested
for compatibility
n net-tools (ifconfig, netstat, etc) are considered “deprecated” and may be removed in the
future versions
Network Configuration
ifupdown has been deprecated in favor of https://netplan.io/. Network configuration has moved
from /etc/network to /etc/netplan.
network:
version: 2
ethernets:
eth0:
addresses:
- 192.168.151.253/24
gateway4: 192.168.151.1
nameservers:
addresses:
- 8.8.8.8
- 8.8.4.4
search: []
routes:
- to: 192.168.0.0/16
via: 192.168.151.254
metric: 100
eth1:
addresses:
- 192.168.152.251/24
gateway4: 192.168.152.1
nameservers:
addresses:
- 8.8.8.8
search: []
Cloud-init
Cloud-init was upgraded to version 20.2. More information on Cloud-init can be found here:
https://cloudinit.readthedocs.io/en/stable/index.html
Example 1: Simple
meta-data:
instance-id: vcg1
local-hostname: vcg1
user-data:
#cloud-config
hostname: vcg1
password: Velocloud123
chpasswd: {expire: False}
ssh_pwauth: True
meta-data:
instance-id: vcg1
local-hostname: vcg1
user-data:
#cloud-config
hostname: vcg1
password: Velocloud123
chpasswd: {expire: False}
ssh_pwauth: True
ssh_authorized_keys:
- ssh-rsa … rsa-key
velocloud:
vcg:
vco: demo.velocloud.net
activation_code: F54F-GG4S-XGFI
vco_ignore_cert_errors: false
runcmd:
- 'echo “Welcome to VeloCloud”'
network-config Example 1:
version: 2
ethernets:
eth0:
addresses:
- 192.168.152.55/24
gateway4: 192.168.152.1
nameservers:
addresses:
- 192.168.152.1
eth1:
addresses:
- 192.168.151.55/24
gateway4: 192.168.151.1
nameservers:
addresses:
- 192.168.151.1
network-config Example 2:
NOTE: If multiple interfaces are present on the Gateway and need an interface to be selected as
a preferred interface for the default gateway, the below configuration (with the metric value) can
be used to select the correct interface.
version: 2
ethernets:
eth0:
addresses: [192.168.82.1/24]
eth1:
addresses: [70.150.1.1/24]
routes:
- {metric: 1, to: 0.0.0.0/0, via: 70.150.1.254}
eth2:
addresses: [70.155.1.1/24]
routes:
- {metric: 2, to: 0.0.0.0/0, via: 70.155.1.254}
Net-tools
Net-tools utilities like ifconfig, netstat, route, etc. are considered “deprecated.” Net-tools
suggested replacements are shown in the table below. These commands only display information
for the Linux Host and not for the SD-WAN Overlay Network. NOTE: For more information, type:
man ip.
The sample output is confirmation that the command is successful. Sample command outputs for
ip n (ip neighbor), ip a (ipaddr), and ip link are shown below.
ip n (ip neighbor):
root@SS-gateway-1:~# ip n
192.168.0.100 dev eth2 lladdr 00:50:56:84:85:d4 REACHABLE
192.168.0.250 dev eth2 lladdr 00:50:56:84:97:66 REACHABLE
13.1.1.2 dev eth0 lladdr 00:50:56:84:e7:fa REACHABLE
root@SS-gateway-1:~#
ip a (ipaddr):
root@SS-gateway-1:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 4096
link/ether 00:50:56:84:a0:09 brd ff:ff:ff:ff:ff:ff
inet 13.1.1.1/24 brd 13.1.1.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::250:56ff:fe84:a009/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:84:a6:ab brd ff:ff:ff:ff:ff:ff
inet 101.101.101.1/24 brd 101.101.101.255 scope global eth1
valid_lft forever preferred_lft forever
inet6 fe80::250:56ff:fe84:a6ab/64 scope link
valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:84:bc:75 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.201/24 brd 192.168.0.255 scope global eth2
valid_lft forever preferred_lft forever
inet6 fe80::250:56ff:fe84:bc75/64 scope link
valid_lft forever preferred_lft forever
6: gwd1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN
group default qlen 4096
link/none
inet 169.254.129.1/32 scope global gwd1
valid_lft forever preferred_lft forever
inet6 fe80::27d5:9e46:e7f7:7198/64 scope link stable-privacy
valid_lft forever preferred_lft forever
root@SS-gateway-1:~#
ip link
root@SS-gateway-1:~# ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group
default qlen 4096
link/ether 00:50:56:84:a0:09 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group
default qlen 1000
link/ether 00:50:56:84:a6:ab brd ff:ff:ff:ff:ff:ff
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group
default qlen 1000
link/ether 00:50:56:84:bc:75 brd ff:ff:ff:ff:ff:ff
Upgrade Considerations
Note The below steps are based on the assumption that you want to keep the same IP
address and SD-WAN Gateway name for the new SD-WAN Gateway deployed in the 4.0 release.
However, if you want to create a new SD-WAN Gateway with a different IP address and, you can
follow the new SD-WAN Gateway procedures.
Due to substantial changes to the disk layout and system files, an in-place upgrade is not
possible from older releases to the 4.0 release. The migration will require deploying new 4.0
SD-WAN Gateway systems and decommissioning systems running older code.
For VPN SD-WAN Gateways or NAT SD-WAN Gateways with well-known public IP addresses,
adhere to the following procedure below if the public IP of the SD-WAN Gateway must be
preserved.
1 Launch the new SD-WAN Gateway system based on the 4.0 release image. Refer to the
deployment guide for your platform for more information (Gateway Installation Procedures).
2 Shutdown the old SD-WAN Gateway system. (Bring down the old SD-WAN Gateway VM
(either by running the “sudo poweroff” command on the CLI console, or by powering off
from the available Hypervisor options).
3 Migrate the public IP to the new system: update the NAT record to point to the new SD-WAN
Gateway system, or configure the public IP on the new SD-WAN Gateway network interface.
Deploy the new Gateway with the Cloud-int examples given above using the same IP address
as the previous SD-WAN Gateway.
4 Obtain the activation key from the existing SD-WAN Gateway record in the SD-WAN
Orchestrator (as described in the steps below).
a From the SD-WAN Orchestrator, select Gateways from the left navigation panel.
c From the screen of the chosen SD-WAN Gateway, click the down arrow next to the
SD-WAN Gateway name to open the information box.
d The Activation Key is located at the bottom of the information box, as shown in the image
below.
6 Re-activate the new SD-WAN Gateway system: from the CLI console run:
“sudo /opt/vc/bin/activate.py -s <vco_address> <activation_code>”
The SD-WAN Gateway is now registered and ready to receive a connection from the Edges.
Note The SD-WAN Gateway reactivation can be performed via Cloud-int, as described in the
User Data section in this document.
1 Launch a new SD-WAN Gateway system. Refer to the deployment guide for your platform if
necessary (Gateway Installation Procedures).
3 Add new SD-WAN Gateway to the SD-WAN Orchestrator SD-WAN Gateway pool. Refer to
"Gateway Management" section in the VMware SD-WAN Operator Guide for more details.
a The SD-WAN Gateway is now registered and ready to receive a connection from the
Edges.
4 Remove the old SD-WAN Gateway from SD-WAN Orchestrator SD-WAN Gateway pool.
Refer to the "Gateway Management" section in VMware SD-WAN Operator Guide for more
information.
5 Decommission the old SD-WAN Gateway VM. (Remove the SD-WAN Gateway record from
the SD-WAN Orchestrator and decommission the VM instance).
Sample response:
{"jsonrpc":"2.0","result":[{"id":1, "activationKey":"69PX-YHY2-N5PZ-G3UW …
In the example featuring figure below (VRF/VLAN Hand Off to PE), we assume eth0 is the
interface facing the public network (Internet) and eth1 is the interface facing the internal network
(customer VRF through the PE). BGP peering configuration is managed on the VCO on a per
customer/VRF basis under “Configure > Customer”. Note that the IP address of each VRF is
configurable per customer. The IP address of the management VRF inherits the IP address
configured on the SD-WAN Gateway interface in Linux.
A management VRF is created on the SD-WAN Gateway and is used to send periodic ARP
refresh to the default Gateway IP to determine the next-hop MAC. It is recommended that a
dedicated VRF is set up on the PE router for this purpose. The same management VRF can also
be used by the PE router to send IP SLA probe to the SD-WAN Gateway to check for SD-WAN
Gateway status (SD-WAN Gateway has stateful ICMP responder that will respond to ping only
when its service is up). BGP Peering is not required on the Management VRF. If a Management
VRF is not set up, then you can use one of the customer VRFs as Management VRF, although this
is not recommended.
Step 1: Edit the /etc/config/gatewayd and specify the correct VCMP and WAN interface. VCMP
interface is the public interface that terminates the overlay tunnels. The WAN interface in this
context is the handoff interface.
"vcmp.interfaces":[
"eth0"
],
(..snip..)
"wan": [
"eth1"
],
Step 2: Configure the Management VRF. This VRF is used by the SD-WAN Gateway to ARP
for next-hop MAC (PE router). The same next-hop MAC will be used by all the VRFs created
by the SD-WAN Gateway. You need to configure the Management VRF parameter in /etc/config/
gatewayd.
The Management VRF is the same VRF used by the PE router to send IP SLA probe to. The
SD-WAN Gateway only responds to the ICMP probe if the service is up and if there are edges
connected to it. Below table explains each parameter that needs to be defined. This example has
Management VRF on the 802.1q VLAN ID of 1000.
"vrf_vlan": {
"tag_info": [
{
"resp_mode": 0,
"proxy_arp": 0,
"c_tag": 1000,
"mode": "802.1Q",
"interface": "eth1",
"s_tag": 0
}
]
},
Step 3: Edit the /etc/config/gatewayd-tunnel to include both interfaces in the wan parameter.
Save the change.
wan="eth0 eth1"
By default, the SD-WAN Gateway blocks traffic to 10.0.0.0/8 and 172.16.0.0/14. We will need to
remove them before using this SD-WAN Gateway because we expect SD-WAN Gateway to be
sending traffic to private subnets as well. If you do not edit this file, when you try to send traffic
to blocked subnets, you will find the following messages in /var/log/gwd.log
Step 1: On SD-WAN Gateway, edit /opt/vc/etc/vc_blocked_subnets.jsonfile. You will find that this
file first has the following.
[
{
"network_addr": "10.0.0.0",
"subnet_mask": "255.0.0.0"
},
{
"network_addr": "172.16.0.0",
"subnet_mask": "255.255.0.0"
}
]
Step 2: Remove the two networks. The file should look like below after editing. Save the change.
[
]