VMware SD-WAN by VeloCloud delivers a highly reliable and secure application-centric service for even the most latency-sensitive applications, independent of the underlying links. This is achieved by leveraging a simplified cloud-based platform that delivers the required business agility, performance, and simplicity. VMware SD-WAN ensures the secure delivery of traffic across various transports including the internet. It uniquely delivers simplified management with elimination of traditional CLI-based configuration and monitoring.
Follow the steps below for a quickstart of the VeloCloud lab environment.
- Section 1: Enabling a VeloCloud Pod and Accessing the RDSH Jumpbox
- Section 2: Accessing the Connections Home Page and Orchestrator (VCO)
- Section 3: Acronyms
- Section 4: Lab Topology Details and Walkthrough
- Section 5: Lab Exercise - Activate Internet Only Site with DHCP Address
- Link to Full Lab Guide
Before you Begin
In order to complete this product walkthrough please make sure you have the following:
- A valid account in the VMware TestDrive environment, sign up here if you do not have one.
- TCP & UDP ports 80, 443, 8443; and if using PCoIP, both TCP & UDP 4172
- An Horizon Client installed on your machine.
Section 1: Enabling a VeloCloud Pod and Accessing the RDSH Jumpbox
Enter your TestDrive Username and Password and select ENTER.
Next, locate the VeloCloud product under the Transform Networking and Security tab. Toggle the switch stating the product is disabled to ON.
You'll get a notification that the product is being turned on for your account. Once the provisioning is complete, the VeloCloud service will update and show a count down timer. This is how much time you have left to use the VeloCloud environment.
Once the service finishes provisioning, you will see credentials and link to the complete VeloCloud lab guide populated in the TestDrive portal. The credentials section shows you which username and password to use for Workspace ONE, and which credentials to use within the VeloCloud Horizon Desktop. Please refer back to these credentials as you follow the steps in the guides.
Click LAUNCH and LAUNCH VIA WORKSPACE ONE.
A new tab will open with Workspace ONE. Enter your TestDrive Username, then hit Next.
On the next screen, enter your TestDrive Password then hit Sign in.
Next, search for the VeloCloud desktop. Click to open into the desktop either via HTML access or Horizon Client access.
Now you'll be on the VeloCloud RDSH desktop.
Section 2: Accessing the Connections Home Page and the Orchestrator
Within the VeloCloud RDSH desktop, launch Google Chrome from the shortcut on the desktop and enter the URL listed in the VeloCloud card on the TestDrive portal and hit Enter. Below is an example of the formatted URL to enter. Please use the one listed in your own Portal view.
At the Velocloud Training Pod login screen, enter the Username and Password listed in your Portal view.
After successful login, you will be presented with the Home Page which gives you access to all the sites and devices.
To access sites with + sign, expand the connection by clicking on the + sign. The below figure shows expansion of the Chicago and Dallas Branch Sites. This allows access to all the resources available for each site.
With the multiple connections shown, you have the option to click on a connection to access it and use the browser back button to navigate back to the home page to access other connections or you can right click on each connection to open it in a separate browser tab.
Below is an example of using a right click to open the Chicago-VCE in a new browser tab.
Most of the lab pod work is going to be done from the Orchestrator (VCO) connection.
Open the VCO connection and within it, launch the browser icon which will open the Orchestrator login page at https://vco1.lab.velocloud.org with the Username and Password auto-populated.
Note that when this lab is first deployed, a browser window should already be open to the Orchestrator login page with the Username and Password auto-populated. If the green Sign In button is dimmed out, hit the refresh button in the browser.
Section 3: Acronyms
Acronyms used in this lab guide:
- VCO= VeloCloud Orchestrator
- VCG= VeloCloud Gateway
- VCE= VeloCloud Edge
- NVS= Non VeloCloud Site (A site that does not have a VeloCloud SDWAN device and a VCG is used to build IPsec tunnel to those sites)
- Legacy Site= Site with MPLS connection only.
- DC Site with Hub= A VeloCloud Hub behaves like a concentrator i.e. many SDWAN sites connect to it via tunnels. Once traffic gets to the HUB it can be sent to other networks or firewalls or even back to another SDWAN site.
- Overlay= A logical tunnel created between two VMware SDWAN entities. This works on a registered UDP 2426 port.
- Underlay= Another name for the traditional WAN network
- PoC= Proof of Concept
- SWG = Secure Web Gateway
Section 4: Lab Topology Details and Walkthrough
(click above for larger image in separate browser tab)
1. DC1 HUB1
a. VCE Management IP Address= 126.96.36.199/24
b. VCE Internet Link=GE4= 172.16.3.251/24=188.8.131.52/24
c. VCE MPLS Link=GE3= 172.16.2.1/24
d. LAN side = Vlan1= 169.254.111.1/24
e. eBGP between VCE hub1 to DC Switch=ASN 65113
f. eBGP between DC Switch and CE Router = ASN 65112
g. eBGP between CE Router and MPLS core router = ASN 100
h. DC Site Subnet is 172.16.x.y/16
i. DC Site Server machine= 172.16.111.200/24
2. DC1 HUB2
a. VCE Management IP Address= 184.108.40.206/24
b. VCE Internet Link=GE4= 172.16.3.252/24=220.127.116.11/24
c. VCE MPLS Link=GE3= 172.16.2.2/24
d. LAN side = Vlan1= 169.254.112.1/24
e. DC Site Subnet is 172.16.x.y/16
3. MPLS Legacy Site
a. Legacy Client= 192.168.16.200/24
b. Legacy MPLS router= Interface towards Client side= 192.168.16.254/24
c. Legacy Router= MPLS interface= 10.0.6.2/24 = ASN 64061
4. SFO Branch Site
a. VCE Management IP Address= 18.104.22.168/24
b. VCE MPLS Link=GE4= 192.168.10.2/24=GW=192.168.10.1
c. VCE Internet Link=GE3=Sprint= 22.214.171.124/24
d. LAN side = Vlan1= 169.254.113.1/24
e. SFO Switch= Interface towards VCE= eth3=192.168.10.1/24=ebgp=ASN 64133
f. SFO Switch= Interface towards CE router =eth2=ebgp=ASN 64132 = 192.168.11.1/24
g. SFO CE Router= Interface towards Switch= ebgp= ASN 64132= 19126.96.36.199/24
h. SFO CE Router= Interface towards MPLS core=10.0.3.2/24 = ASN 64131
i. SFO Client-side interface= Interface connected to switch = 19188.8.131.52/24
j. SFO Client machine= 192.168.3.200/24
5. SJC Branch Site
a. VCE Management IP Address= 184.108.40.206/24
b. VCE MPLS Link=GE4= 192.168.12.2/24=GW=192.168.12.1
c. SJC CE Router=Interface towards VCE= 192.168.12.2/24, ebgp=ASN 64143
d. SJC CE Router=Interface towards MPLS Core router=10.0.4.2/24, ebgp=64141
e. VCE Internet Link=GE3=AT&T= 220.127.116.11/24, GW=18.104.22.168
f. LAN side = Vlan1= 192.168.4.254/24 (DHCP Server)
g. Client Machine=192.168.4.0/24 (DHCP Client)
6. Dallas Branch Site
a. VCE Management IP Address = 22.214.171.124/24
b. Dallas VCE LAN Side subnet is 192.168.5.0/24
c. Dallas VCE LAN Side interface= GE1= 192.168.5.254/24
d. Dallas Client-side machine=192.168.5.0/24 (DHCP IP Address)
e. Dallas MPLS interface = GE4= 10.0.5.2/24= ebgp ASN 64153
f. Dallas Internet interface=GE3= 126.96.36.199/24
7. Chicago Branch Site
a. VCE Management IP Address = 188.8.131.52/24
b. Dallas VCE LAN Side subnet is 192.168.6.0/24
c. Dallas VCE LAN Side interface= GE1= 192.168.6.254/24
d. Dallas Client side machine=192.168.6.0/24 ( DHCP IP Address)
e. Dallas Internet interface = GE4= 184.108.40.206/24
f. Dallas Internet interface=GE3= 220.127.116.11/24
8. LAX Branch Site
a. VCE Management IP Address = 18.104.22.168/24
b. LAX VCE WAN Internet Interface= GE3= 22.214.171.124/24
c. VCE Switch side interface=GE4=192.168.8.1/24
d. LAX Switch interface towards VCE = eth1= 192.168.8.2/24
e. LAX Client machine = 192.168.9.200/24
Lab Topology Walk-Through
1. Single DC site with INT and MPLS connection.
2. 2 SD-WAN edge devices ready to be configured with cluster.
3. Two-Arm Mode behind FW DC topology.
4. Firewall (FW) is enabled on INT link. FW has the static NAT rules for both edge device and allow UDP 2426 traffic for building up the overlay.
a. Edge device -1: GE4 towards Firewall: 172.16.3.251 -- > NAT configured on FW is 126.96.36.199
b. Edge device -2: GE4 interface on Edge device towards Firewall: 172.16.3.252 -- > NAT configured on FW is 188.8.131.52
5. Site is preconfigured with BGP Routing on Layer-3 Switch, and the Layer-3 Switch with neighboring CE router.
a. DC site has Server subnet running behind L3 Switch. L3 subnet is 172.16.111.0/24
b. Static route is configured on the DC Switch for Branch sites with subnet 192.168.0.0/16 to reach 172.16.111.0/24.
c. End user will be Activating, configuring BGP on hub device as part of the lab exercise.
Two Arm Deployment Diagram:
1. Single Legacy Site is pre-configured.
2. Legacy site is MPLS site only.
3. Legacy Site subnet is 192.168.16.0/24
4. Best practice for Internet only branch sites will reach Legacy subnet using DC site as the transit site.
1. There are total of 5 Branch Sites.
2. End user during the Lab exercise will be activating and configuring routing on internet and hybrid branch sites.
3. Each Branch site is with VMware SD-WAN Edge Device (VCE) by VeloCloud. These Edges devices are Virtual appliances.
a. Internet Only Sites: Sites with Internet Connection.
Chicago Branch Site and LAX Branch Site.
b. Hybrid Sites are with connection to Internet and MPLS.
SFO Site, SJC and Dallas sites are Hybrid Sites
Branch Site-1: SFO Site
1. Branch Site name is SFO Branch Site. Hybrid Site with Internet and MPLS connection.
2. Two-Arm Mode behind FW DC topology.
3. Site with Internet connection terminating on Edge (VCE) device.
4. Off-Path Design: VCE not in the Traffic path. VCE is not in the path between the MPLS and the internal network.
5. Advantages of this off path design is automatic fallback to MPLS when VCE fails. HA not required for survivability.
6. BGP peering with L3 Switch. L3 switch is BGP neighbor to both VCE and CE router. This is all pre-configured.
7. SFO Client subnet is 192.168.3.0/24.
8. As part of the lab exercise, end user will use the routing best practices to configure route filtering for BGP. Routing is already configured on non SDWAN devices (Layer-3 switch)
Branch Site-2: SJC Site
1. Site name is SJC Branch Site. Hybrid Site with Internet and MPLS Connection.
2. Site edge device is un-activated.
3. VCE is In-Path, Hybrid Site with BGP running between VCE and CE router.
4. VCE is in Traffic path. VCE is in the path between the MPLS and the internal network.
5. With this topology VCE uses OSPF/BGP with CE router. CE does the BGP peering with PE router using BGP.
6. Advertise SD-WAN routes to/from underlay
7. Care must be taken to avoid making branch a transit
Branch Site-3: Dallas Site
1. Branch Site name is Dallas Site. This is also a Hybrid Site with Internet and MPLS connection.
2. Site edge device is un-activated.
3. Edge device (VCE) is In-Path, Hybrid Site without CE router. BGP is already enabled on the MPLS link. DALLAS site is not configured with overlay on the MPLS link.
4. VCE uses BGP with PE router. Advertise SD-WAN routers to/from underlay.
5. As a routing best practice, end user will use the Uplink feature to make this branch site a Non-Transit Site.
How is this site different than other Hybrid Sites?
This site eliminates CE router. Edge device does direct peering with SP PE Router.
Branch Site-4: Chicago Site
1. Branch Site name is Chicago Branch Site. Internet Only Site.
2. Site with Dual Internet connection and is un-activated.
3. In-Path VCE with dual Internet Links.
4. No routing protocol configured on LAN side of VCE.
5. To reach MPLS site (legacy site in this case), this site will use DC site as a transit site.
Branch Site-5: LAX Site
1. Branch Site name is LAX Site. Internet only Site
2. In-Path VCE with Single INT Link.
3. This site will use DC site as a transit site to reach MPLS site.
4. Layer-3 switch is configured typically with Static or OSPF routes.
Section 5: Lab Exercise - Activate Internet Only Site DHCP Address
Activate Branch site with WAN IP address as DHCP using the Zero Touch Provisioning feature.
(click above for larger image)
Objective: Activate Edge device using Zero touch provisioning.
This lab exercise is about activating the Edge device using the Pull activation process. For this, Chicago Branch site is used.
- Create Site from Orchestrator “Chicago Branch Site”
- Create site generates a unique Activation link which includes the key. Email the Activation key to Remote administrator.
- Connect the client machine to Edge device and click on the activation link to Activate the edge device.
Activate Chicago edge device with WAN IP address as DHCP Address.
1. From your browser, access the VCO connection page.
2. Connect to your VeloCloud Orchestrator, Click Configure > Edges.
3. On the VeloCloud Edges page, click New Edge.
4. Configure the Provision New Edge window.
a. In the Name field, enter Chicago Branch Site.
b. From the Model drop-down menu, select Virtual Edge.
c. From the Profile drop-down menu, select Quick Start Profile
d. Authentication as Certificate Optional
e. Click Create.
f. Save the changes.
g. This will take the site creation to Pending state.
h. From the Edge overview, Click on Send Activation Email to send the email to remote admin. (Non IT Person)
i. Activation Link in this case has all the information for the activation process, VCO FQDN/IP Address, Activation Key and other information.
j. Hit Send.
5. Next step is to be executed by the remote Administrator. Remote administrator has physical access to the edge device.
a. Remote admin will follow the procedure mentioned in the email.
The lab environment is not equipped with an email service and as such we will not be able to send out the actual activation email. However, we can access the Orchestrator (VCO) through the client attached to the edge we want to activate and simply click on the activation link in the Orchestrator.
Alternatively, you can also copy the link from the orchestrator and paste it into the browser of the client attached to the edge we’re looking to activate.
b. Email is not configured in this lab environment. You must log in at the Chicago site to finish configuration. From the connection page of your browser, Access the Chicago-Client connection.
c. When this lab is first deployed, a browser window should already be open to the Orchestrator login page within the Chicago-Client with the Username and Password auto-populated. If the green Sign In button is dimmed out, hit the refresh button in the browser.
If a browser to the Orchestrator login page is not yet open, then click the Web Browser icon in the taskbar to open the Firefox browser to https://vco1.lab.velocloud.org
d. Click Sign In.
e. In the navigation pane on the left, click Configure > Edges.
f. In the VeloCloud Edges pane, click Chicago Branch Site.
g. Click Send Activation Email.
h. In the Send Activation Email window, click the activation link.
6. This will open the Local UI for the edge device. Make sure that the Internet Status is Connected before you move on to the next step.
7. In the VeloCloud Edge Activation window, click Advanced.
8. Select the Ignore check Click on Activate
Edge Activation might take up to 30 seconds. An Activation successful window appears when complete.
Activation is Complete.
Next, do the verification task. Check the site and link status.
9. Click X to close the Activation successful dialog box.
10. Close the Local UI browser and the Orchestrator tab from the Chicago-Client.
11. Go back to the VCO connection page to check on the Site status.
12. In the navigator pane on the left, click Monitor > Edges.
13. In the VeloCloud Edges Branch Site, verify that Chicago Branch Site has a green status (refresh the browser window if not yet green, this might take a couple minutes!)
14. In the Edge column, click Chicago Branch Site.
15. Verify that the Chicago Branch Site has the status of (Connected).
16. In the navigator pane on the left click Monitor > Events. Verify that you can see Link alive events for the Chicago Branch Site.
Information on Activation Link:
Activation link has all the information to reach Orchestrator and get activated.
192.168.2.1 is the default subnet for orchestrator. This subnet is also configured on an un-activated edge device. Activation key is auto populated in the link along with the VCO FQDN or IP Address. If the WAN IP address is static, you will notice that the activation link is longer and has IP address included.
This concludes the lab quickstart. To follow through all other available lab exercises, view the complete lab guide at the following link: