• No results found

SD-WAN by VeloCloud and VMware Cloud on AWS Deployment Guide VMware SD-WAN 3.3

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "SD-WAN by VeloCloud and VMware Cloud on AWS Deployment Guide VMware SD-WAN 3.3"

Copied!
13
0
0

Loading.... (view fulltext now)

Download now ( 13 Page )

Full text

(1)

SD-WAN by VeloCloud and VMware

Cloud on AWS Deployment Guide

2020

(2)

You can find the most up-to-date technical documentation on the VMware website at:

https://docs.vmware.com/

VMware, Inc. 3401 Hillview Ave.

(3)

Contents

1

VMware SD-WAN™ by VeloCloud® and VMware Cloud on AWS Deployment Guide 4

SD-WAN by VeloCloud and VMware Cloud on AWS Deployment Overview 4 Required Software Requirements and Components 5

Procedures 6 Troubleshooting 13

(4)

VMware SD-WAN™ by

VeloCloud® and VMware Cloud

on AWS Deployment Guide

1

The VMware SD-WAN™ by VeloCloud® and VMware Cloud on AWS deployment guide provides step-by-step instructions on how to optimize connectivity between VMware Cloud on AWS and VMware SD-WAN enabled branches.

This chapter includes the following topics:

n SD-WAN by VeloCloud and VMware Cloud on AWS Deployment Overview n Required Software Requirements and Components

n Procedures n Troubleshooting

SD-WAN by VeloCloud and VMware Cloud on AWS

Deployment Overview

This section provides an overview of the VMware SD-WAN by VeloCloud and VMware Cloud on AWS Deployment Guide.

VMware Cloud on AWS delivers a seamlessly integrated hybrid cloud solution that extends on-premises vSphere environments to a VMware Software-Defined Data Center (SDDC) running on Amazon Elastic Compute Cloud (Amazon EC2) elastic, bare-metal infrastructure that is fully integrated as part of AWS. It serves a broad range of customer use cases including cloud migration, data center extension, DR and next-generation application modernization. With

VMware SD-WAN support for VMware Cloud on AWS, users at branches or remote locations can have a better network connectivity to workloads deployed on VMware Cloud on AWS leveraging the distributed hosted VMware SD-WAN Cloud Gateways. This deployment guide provides details on how to achieve this connectivity between an SD-WAN Gateway and VMware Cloud Gateway.

The figure below illustrates the Integration of VMware SD-WAN by VeloCloud and VMware Cloud on AWS, which uses IPSec connectivity between the SD-WAN Gateway and the VMware Cloud to Router.

(5)

Required Software Requirements and Components

This section describes the required software requirements and components to optimize connectivity between VMware Cloud on AWS and VMware SD-WAN enabled branches. n VMware SD-WAN by VeloCloud

n Software version 3.3.2 or higher

n “Non-VeloCloud-Site” (NVS) Policy-Based IPsec IKEv1 n “Edge Profile” configured for Edges

n SD-WAN Edge appliance with clients connected on LAN or WLAN

n Gateway address which can be procured at the time of configuring the NVS. Note: Private IP of Gateway is also needed (in this release, this IP is hidden from the UI and the network administrator must contact VMware SD-WAN by VeloCloud support for this IP)

n Traffic selection for subnets to be encrypted over tunnel n Client connected to a LAN-side Subnet of the SD-WAN Edge n VMware Cloud on AWS

n Software Version SDDC M10v2 or higher

n Logical network in the form of a segment with a subnet n VMware Cloud Public IP

n Policy-based IPSec IKEv1 VPN

n Traffic selection for subnets to be encrypted over tunnel

n Client VMs connected to a segment within VMware Cloud on AWS that is designated as traffic for IPSec encryption

(6)

Procedures

This section provides step-by-step procedures on how to achieve connectivity between an SD-WAN Gateway and a VMware Cloud Gateway.

1 Log into the VMware Cloud Console based on the URL for your SDDC organization (The VMware Cloud Services Login Page).

On the Cloud Services Platform, select VMware Cloud on AWS.

2 Find Public IP used for VPN connectivity by clicking the Networking and Security tab. The VPN Public IP displays below the Overview pane.

3 Determine the networks/subnets for traffic encryption selection (interesting traffic) and note them down. These should originate from Segments in Networking/Security in the VMware Cloud. (Locate this by clicking Segments, under Network.

4 Log into the SD-WAN Orchestrator and verify that SD-WAN Edges are present with a green status icon displayed next to them.

(7)

5 Go to the Configure tab and click Network Services, and then under Non-VeloCloud Sites, click the New button.

6 Provide a name for the Non VeloCloud Site, select the type, in this case, Generic Firewall (Policy Based VPN), and Enter the Public IP from the VMC obtained in Step 2, and click Next.

(8)

7 Click the Advanced button, and under the Primary VPN Gateway: a Change to the desired PSK.

b Ensure encryption set to AES 256. c Change DH group to 5.

d Enable PFS to 5.

e Enter the site-subnets captured in Step 3. f Click the checkbox to Enable Tunnels. g Click Save Changes.

(9)

8 Click View IKE/IPSec Template and copy the information into a text file, and then close the window.

(10)

10 Go to the profile for the associated SD-WAN Edge and click the appropriate Profile. 11 Under the correct Profile:

a Go to the Device tab, under Cloud VPN and Branch to Non-VeloCloud Site, click the checkbox next to Enable.

b In the drop-down menu, select the NVS Network Service that was created (beginning in Step 5).

c Click the Save Changes button at the top of the screen.

12 The tunnel should be ready on the SD-WAN Orchestrator. 13 Log into the VMware Cloud Console.

14 Go to Networking and Security and click the VPN tab. In the VPN area, select Policy Based

VPN, and click Add VPN.

(11)

15 Provide a name for the Policy Based VPN and configure the following:

a Choose a name. (Choose a name that starts with “To_SDWAN_Gateway,” so the VPN can be easily identified during troubleshooting and future support).

b Select the Public IP. c Enter the remote Public IP.

d Enter the remote Private IP. NOTE: This will require a call to GSS Support, please refer to the following KB article, and mention the KB ID when contacting Support. https://

ikb.vmware.com/s/article/78196.

e Specify the remote networks located on the SD-WAN Orchestrator. f Select the Local Networks.

g Under Tunnel Encryption, select AES 256. h Under Tunnel Digest Algorithm, select SHA1.

i Make sure Perfect Forward Secrecy is set to Enabled. j Enter the PSK, to match Step 7A.

k Under IKE Encryption, select AES 256. l Under IKE Digest Algorithm, select SHA 1.

(12)

16 Once the configuration is complete, the tunnel is automatically enabled and will proceed to negotiate the IKE Phase 1 and Phase 2 parameters with the peer, which is the SD-WAN Gateway.

17 Once the tunnel displays (green), verify that the tunnel disaplays green in the SD-WAN Orchestrator (go to Monitor > Network Services)).

18 Start a ping from a client connected at each end towards the opposite client, and verify ping reachability.

(13)

The tunnel configuration has been complete and verified.

Troubleshooting

This section describes troubleshooting information when connecting an SD-WAN Gateway and a VMware Cloud Gateway.

While from a user perspective there is limited CLI and log access, there are errors you can

capture and share with Support. One of the first areas to troubleshoot is to ensure that IKE Phase 1 and 2 parameters are equivalent on both ends. It’s possible that the Pre-Shared-Key might be incorrectly entered, causing IKE to fail in authentication.

Some Tips to Consider:

n The private IP of SD-WAN Gateway is needed and can only be picked up using a diagnostic bundle of the SD-WAN Gateway or by using SSH to access the Gateway. This activity can only be done by VMware SD-WAN Support.

n End-users can check events/alerts in the SD-WAN Orchestrator and set it up to receive emails.

n End-users can view the tunnel status under the VMC Networking/Security Policy VPN section.

References

Download now ( PDF - 13 Page - 1.77 MB )

Related documents

Enterprise Networking and SD-WAN with Cisco and AWS

Creating a bridge between apps and SD-WAN via AWS Cloud Map Deeper connectivity into the cloud with Cisco Meraki virtual MX and AWS Transit Gateway.. Global WAN with Meraki SD-WAN

Azure Virtual Edge Deployment Guide VMware SD-WAN 4.3

The Azure Vritual Edge Deployment Guide focuses on how to deploy a Virtual Edge in Azure leveraging the convenience of an Azure Resource Manager (ARM) Template.. More customers

Introducing VMware Cloud Foundation. 09 FEB 2021 VMware Cloud Foundation 4.2

Based on a proven and comprehensive software-defined stack including VMware Cloud Foundation™ with VMware Tanzu™, VMware vSAN ® , VMware NSX-T ® Data Center, and VMware vRealize ®

Forklifting to AWS: An Option for Migration to AWS October Forklifting to AWS: An Option for Migration to AWS

Using VMware vCenter 

Microsoft Services Provider License Agreement on VMware Cloud on AWS

If the MSP wants to buy the Microsoft SQL server and Microsoft Windows server license from VMware, they need to sign our “Software Services Reseller Addendum”.. If a new MSP

Citrix Virtual Apps and Desktops (CVAD)

This solution architecture guide has described the integration of Citrix Virtual Apps and Desktops with VMware Cloud on AWS to create virtual desktop and application environments in

VMware Cloud Sizer User Guide. VMware Cloud services

2 After you have signed in to view individual project details, click View Logs on the VMware Cloud sizer home page. All project levels logs are displayed on the VMware Cloud sizer

VeloCloud Operator Guide. VMware SD-WAN 3.3

New Chapter 4 Log in to the SD-WAN Orchestrator Using SSO for Operator User New Configure an IDP for Single Sign On.. Updated Configure Orchestrator Authentication Updated Create