abc of NSX SDWAN - Velocloud

Agenda

How Velocloud addressing WAN issues

NSX-SDWAN Velocloud components
Controllers familiarity
Profiles & Policies
Configuration & ZTP
Security & design
 Overview an d Foundation of V M w a r e SD-WAN by
VeloCloud

Cloud-delivered Software-defined WAN from VeloCloud assures enterprise

and cloud application performance over Internet and hybrid WAN while
simplifying deployments and reducing costs.
Market Players & Gartner report
 SD-WAN Benefits

SD ‐ WAN provides a wide range of benefits for distributed

organizations, including:

1. Business agility
2. Internet economics
3. Optimized cloud architecture
 SD‐WAN Considerations

1. Ease of adoption and management

2. Ability to migrate to hybrid WAN
3. Automation – traffic steering
 SD-WAN Features

• Virtualizes the network

• Enables a secure overlay
• Simplifies services delivery
• Provides interoperability
• Leverages cost effective hardware
• Supports automation with business policy framework
• Monitors usage and performance
• Supports interoperable and open networking
VMware SD-WAN by VeloCloud Key
components and Architecture
• Increases acceleration to cloud application adoption (O365, SFDC,
AWS, etc) with flexible traffic policies
• A fraction of the cost of an MPLS network
• Transport independent, whether private, public, even LTE
• We can improve your real time voice & video applications
• You'll have full management & visibility of your entire WAN
• Simplicity of zero-touch branch deployments
• Link remediation and correction
• Multi-tier / Multi-tenant
Architecture Overview
Service Provider Deployment
Component Overview
VMware SD-WAN solution has three main components

Edge (VCE) - highlight location flexibility (cloud, dc, branch), form factor
flexibility

Orchestrator (VCO) - Virtual, Multi-tenant, highlight simplicity and no

CLI, enables fast ramp of IT teams, less need for skilled resources,
monitoring and troubleshooting are key, API Integration (eg AT&T
leverages APIs)

Gateway (VCG) - Virtual, Multi-tenant with functions on data plane and

control plane, VCG has global presence with partnerships with major
service providers. Supports both cloud and on-premise model.
 Core Features
Core Feature #1: Zero-Touch D ep lo ym en t
Core Feature #2: D y n a m i c P a th Selection
Core Feature #3: Link Stee r i n g a n d R e m ed i a ti o n
Core Feature #4: Cloud V P N
Core Feature #5: Multi-Tenancy
Core Feature #6: Segmentation
Core Feature #7: Virtual Networ k Function
 #1: Zero-Touch Deployment

# 2 : D y n a m i c P a th Selection
#3: Link Steering and Remediation
#4: Cloud VPN
Core Feature # 5 : Multi-Tenancy

All the VMware NSX SD-WAN by Velocloud components, Orchestrator and the Gateways,
are multi-tentant in nature.
Core Feature # 6 : S e g m e n t a t i o n
Core Feature # 7 : Virtual Netw ork Function
 Velocloud Edge

https://www.velocloud.com/get-started
 VeloCloud Edge 500 Overview

Up to three hardwired WAN connections via two RJ-45 connectors and

one SFP connector.

Up to four wireless WAN connections via USB wireless WAN modems.

Four hardwired LAN connections and a Wi-Fi hotspot.

Back Panel & side connections
Front Panel Lights
 Network Configuration
The VeloCloud Edge can be configured as a standalone device or paired with
a similar device in a High Availability configuration.

User Interface
The device user interface (UI) can be accessed at http://edge.velocloud.net
The device UI includes local web pages (Overview, Properties, Diagnostics,
and Reset Settings) that provide troubleshooting functions and information about
the interfaces.
IMPORTANT NOTE: The UI should only be used for initial configuration and troubleshooting
when the Internet is not available. The device UI is not expected to be used during normal
operations since all of the information and configurations are also available through the
VeloCloud Orchestrator.
 Edge
Overview
 WAN Interface Properties

IMPORTANT NOTE: After you click the Save Changes button, you will be prompted to enter
credentials. When prompted, type in the default credentials, admin for the user name and admin for the
password.
 Diagnostics
The Diagnostics page provides several diagnostic tests including:
Bandwidth
Pinging external IP addresses (e.g. google.com) to determine basic network
connectivity
Evaluating the connectivity from the device to the VeloCloud Service

Click the Run button to run a diagnostic test. You can also download the device
diagnostic bundle by clicking appropriate button on the screen
 Edge Reset Settings
The Reset Settings page has buttons to initiate the following functions:
•  Identify – Flashes the Edge lights for 30 seconds to help you locate the
Edge.
•  Restart Service – Restarts the VeloCloud service.
•  Reboot – Initiates a reboot of the device. When the service light
illuminates again, the device has completed the reboot process.
•  Reset Configuration – Returns the device to an unactivated state: the
cloud services are turned off, the device is no longer associated with a cloud
managed configuration, and the initial default configuration is applied.
VeloCloud Orchestrator Dashboard
VeloCloud vs Viptela Components
 VeloCloud Edge

The VeloCloud Edges are zero-touch, enterprise-class devices or virtual

software that provide secure and optimized connectivity to private, public and
hybrid applications; compute; and virtualized services. 

VeloCloud Edges perform deep application recognition, application and per-

packet steering, on-demand remediation performance metrics and end-to-end
quality of service (QoS) in addition to hosting Virtual Network Function (VNF)
services.

An Edge pair can be deployed to provide High Availability (HA). Edges can be
deployed in branches, large sites and data centers. All other network
infrastructure is provided on-demand in the cloud.
 VeloCloud Orchestrator
The VeloCloud Orchestrator provides centralized enterprise-wide configuration
and real-time monitoring, as well as orchestrates the data flow into and through
the SDWAN overlay network.

Additionally, it provides the one-click provisioning of virtual services across

Edges, in centralized and regional enterprise service hubs and in the cloud.
 VeloCloud Gateways
VeloCloud’s network consists of gateways deployed at top tier network points-of-
presence and cloud data centers around the world, providing SDWAN services to
the doorstep of SaaS, IaaS and cloud network services as well as access to
private backbones.

Multi-tenant, virtual Gateways are deployed both by VeloCloud transit and cloud
service provider partners. The gateways provide the advantage of an on-
demand, scalable and redundant cloud network for optimized paths to cloud
destinations as well as zero-installation applications.

A Cloud Edge may also be configured with VeloCloud Gateways to provide

Internet inbound firewall protection.
Cisco vs Vmware SDWAN
Viptela vs VeloCloud Capabilities
Viptela
Dynamic Multi-path Optimization

VeloCloud Dynamic Multi-path OptimizationTM is comprised of automatic link

monitoring, dynamic link steering and on-demand remediation.

Link Steering and Remediation

Dynamic, application aware per-packet link steering is performed automatically
based on the, embedded knowledge of network requirements of the application, a
business priority of the applicationnd the real-time capacity and performance
of each link.
On-demand mitigation of individual link degradation through forward error
correction, jitter buffering and negative acknowledgment proxy also protects the
performance of priority and network sensitive applications.
Cloud VPN

Cloud VPN is a 1-click, site-to-site, VPNC-compliant, IPSec VPN to

connect VeloCloud and Non-VeloCloud Sites while delivering real-time status and
the health of the sites.

The Cloud VPN establishes dynamic edge-to-edge communication for all branches
based on service level objectives and application performance.

Cloud VPN also delivers secure connectivity across all branches with PKI scalable key
management. New branches join the VPN network automatically with access to all
resources in other branches, enterprise data centers, and 3rd party data centers,
like Amazon AWS.
Multi-source Inbound QoS

VeloCloud classifies 2,500+ applications enabling smart control.

Out-of-the-box defaults set the multi-source inbound Quality of Service (QoS) parameters
for different application types with IT required only to establish application priority.

Knowledge of network requirements for different application types, automatic link capacity
measurements and dynamic flow monitoring enables automation of QoS configurations
and bandwidth allocations.
Firewall

VeloCloud delivers stateful and context-aware (application, user, device)

integrated application aware firewall with granular control of sub-applications,
support for protocol-hopping applications – such as Skype and other peer-to-peer
applications (e.g., disable Skype video and chat, but allow Skype audio).

The secure firewall service is user- and device OS-aware with the ability to
segregate voice, video, data, and compliance traffic. Policies for BYOD devices
(such as Apple iOS, Android, Windows, and Mac OS) on the corporate network
are easily controlled.
Network Service Insertion

The VeloCloud Solution supports a platform to host multiple virtualized network

functions to eliminate single-function appliances and reduce branch IT complexity.
 
VeloCloud service-chains traffic from the branch to both cloud-based and enterprise
regional hub services, with assured performance, security, and manageability.

Branches leverage consolidated security and network services, including those

from partners like Zscaler and Websense. Using a simple click-to-enable interface,
services can be inserted in the cloud and on-premise with application specific
policies.
Routing and Segmentation
Overlay Flow Control
The VeloCloud Edge learns routes from adjacent routers through OSPF and BGP. It
sends the learned routes to the Gateway/Controller. The Gateway/Controller acts like
a route reflector and sends the learned routes to other VeloCloud SD-WAN Edges.
The Overlay Flow Control (OFC) enables enterprise-wide route visibility and control
for ease of programming and for full and partial overlay.
OSPF
VeloCloud supports inbound/outbound filters to OSPF neighbors, OE1/OE2 route
types, MD5 authentication. Routes learned through OSPF will be automatically
redistributed to the controller hosted in the cloud or on-premise.
BGP
VeloCloud supports inbound/outbound filters and the filter can be set to Deny, or
optionally adding/changing the BGP attribute to influence the path selection, i.e. RFC
1998 community, MED, AS-Path prepend, and local preference.
Segmentation
Network segmentation is an important feature for both enterprises and service
providers. In the most basic form, segmentation provides network isolation for
management and security reasons. Most common forms of segmentation are
VLANs for L2 and VRFs for L3.

Business Policy Framework

Quality of Service (QoS), resource allocations, link/path steering, and error
correction are automatically applied based on business policies and application
priorities. Orchestrate traffic based on transport groups defined by private and
public links, policy definition, and link characteristics.
Velocloud Network Topologies
 Branches to Private Third Party (VPN)

Customers with a private data center or cloud data center often want a way to
include it in their network without having to define a tunnel from each individual
branch office site to the data center.
By defining the site as a non-VeloCloud site, a single tunnel will be built from the
nearest VeloCloud Gateway to the customer’s existing router or firewall.
Branch Site Topologies

The VeloCloud service defines three different typical branch topologies

designated as Bronze, Silver, and Gold.

In addition, pairs of VeloCloud Edges can be configured in a High Availability

(HA) configuration at a branch location. Each topology is described in the
following sections.
Bronze Site Topology

The Bronze topology represents a typical small site deployment where there are
one or two WAN links connected to the public internet. In the Bronze topology
there is no MPLS connection and there is no L3 switch on the LAN-side of
the VeloCloud Edge. See the diagram below for an overview of the Bronze
topology.
Silver Site Topology

The Silver topology represents a site that also has an MPLS connection in addition
to one or more public Internet links. There are two variants of this topology.

The first variant is a single L3 switch one or more public internet links and a MPLS
link which is terminated on a CE and is accessible through the L3 switch. In this
case, the VeloCloud Edge goes between the L3 switch and Internet (replacing
existing firewall/router).

he second variant includes MPLS and Internet routers deployed using HSRP with
an L2 switch on the LAN side. In this case, the VeloCloud Edge replaces the L2
switch.
On Premise

The topology consists of two hubs and multiple branches (some with VCE and
some without). Each hub has hybrid WAN connectivity. There are several branch
types. Note that gold site is not currently in the scope of this release
and will be added at a later time.
The MPLS network runs BGP and peers with all the CE routers. At Hub 1, Hub 2,
and Silver 1 sites, the L3 switch runs OSPF or BGP with the CE router and firewall
(in case of hub sites).
In some cases, there may be redundant data centers which advertise the same
subnets with different costs. In this scenario, both data centers can be
configured as edge-to-edge VPN hubs.

Since all edges connect directly to each hub, the hubs in fact also connect
directly to each other. Based on route cost, traffic is steered to the preferred
active data center.
High Availability (HA) Topology

The following diagram provides a conceptual overview of the VeloCloud High

Availability configuration using two VeloCloud Edges, one active and one
standby.
Connecting the L1 ports on each edge is used to establish a failover link. The
standby VeloCloud Edge blocks all ports except the L1 port for the failover link.
VeloCloud Key Concepts
VeloCloud Roles and Privilege Levels

There are two primary roles in a VeloCloud service that perform tasks related to
administration and setup: an IT Administrator and a Site Contact at each site
where a VeloCloud Edge device is deployed.

Site Contact
The Site Contact is responsible for VeloCloud Edge physical installation and
activation with the VeloCloud service. The Site Contact is a non-IT person that has
the ability to receive an email and perform the instructions in the email for Edge
activation.
IT Administrator

The IT Administrator configures, monitors, and administers

the VeloCloud service operation. There are three IT Administrator roles:
Enterprise Standard Admin – can perform all configuration and monitoring
tasks.
Enterprise Superuser – can perform the same tasks as an Enterprise Standard
Admin and can also create additional users with the Enterprise Standard Admin,
Enterprise MSP, and Customer Support role.
Enterprise Support – can perform configuration review and monitoring tasks
but cannot view user identifiable application statistics and can only view
configuration information.
 4 core configurations
The VeloCloud service has four core configurations that have a hierarchical
relationship (see the diagram below). These configurations are created and
values entered in the VeloCloud Orchestrator.
•Network: Defines basic network configurations–such as addressing and VLANs.
Networks can be designated as Corporate or Guest and there can be multiple
definitions of each.

•Network Services: Define several common services used by

the VeloCloud Service–such as BackHaul Sites, Cloud VPN Hubs, Non-VeloCloud
Sites, Cloud Proxy Services, DNS services, and Authentication Services.

•Profile: Defines a template configuration that can be applied to multiple Edges. A

Profile is configured by selecting a Network and Network Services. A profile can be
applied to one or more Edge models and defines the settings for the LAN, Internet,
Wireless LAN, and WAN Edge Interfaces. Profiles can also provide settings for Wi-
Fi Radio, SNMP, Netflow, Business Policies and Firewall configuration.
Edge: Configurations provide a complete group of settings that can be
downloaded to an Edge device. The Edge configuration is a composite of settings
from a selected Profile, a selected Network, and Network Services. An Edge
configuration also override settings or add ordered policies to those defined in
the Profile, Network, and Network Services.
Velo-Edge Activation : HOL-2039-01-NET

https://labs.hol.vmware.com
 VMWARE SD-WAN VIRTUAL EDGE
2 x Intel vCPU's (minimum)
For 4x vCPUs and above, Intel DPDK functionality is recommended for
optimizing performance
CPU must support AES-NI, SSSE3 and RDTSC instruction sets
Hyper-threading disabled
CPU's at 2.0 Ghz or higher
4 GB of memory
8GB of storage

Supported Network I/O: 

SR-IOV, VirtIO, VMXNET3
In real world: you would have to download the image from VMware downloads
page.
 Download the OVA file from VMware downloads page

 From the VMware SD-WAN Orchestrator, Create a Site with Virtual Edge
as edge option  - VMware SD-WAN Orchestrator acts as the single pane of glass
for the  entire enterprise's SD-WAN network. Orchestrator is used to carrying out
tasks for day-0 installation as well as day-1 to day-n monitoring and  analytics
activities.
 From vCenter, Deploy the Virtual Edge using the OVA File - Since the
deployment is to be done on VMware's ESXi environment, using vCenter, edge
OVA file would be deployed.
 From vCenter, Power on the Edge device and Verify the Activation of the
SD-WAN Edge device.
 From the VMware SD-WAN Orchestrator, Verify SD-WAN Overlay:  Once
the VMware SD-WAN edge is installed and brought up, SD-WAN  overlays would
be verified between the edge to the already installed  gateway. The verification is
done again from the single pane of glass -  VMware SD-WAN Orchestrator.
1) Under the VMware SD-WAN Orchestrator screen; click on "Configure"    
Navigate to "Edges"; since there are no active edges installed for customer
"Global Retail Inc" no edges would show up here.

2) Click on "New Edge"; a new dialogue box will open up.

3) Provision the new Edge - Branch-VCE-01, Under the new dialogue

titled "Provision New Edge": Type in Name "Branch-VCE-01";
Model "Virtual Edge";
Profile "QuickStartProfile“

4) Click on "Create"
5) Create Site will generate an unique Activation Key. End user will see a
statement "The edge has been provisioned with activation key xxxx-xxxx-xxxx-
xxxx".
6) End user will also notice that the edge status is Pending.

This activation key will be unique per edge, per customer. 

Make sure to note down this activation key since this value would be needed later
for copy paste.
You can copy the activation key to the notepad.
DEPLOY OVF TEMPLATE FOR VIRTUAL SD-WAN EDGE
 Kindly follow the steps in Video
1) All the VMware SD-WAN Components are running  Release 3.2.2 GA

2) SD-WAN components (VCO,VCG and VCE) are running on their own network. Each
component has their own subnet (for ex: Orchestrator is on 30.30.30.x, Gateway is
40.40.40.x)

3) Routing between subnets is handled by router: in this lab it is lnx-router VM. VCO, VCG
and VCE default gateway points to lnx-router VM. For example: VCO gateway IP address
30.30.30.1 is configured on lnx-router VM.

4) Additional role for the lnx-router VM is assigning DHCP based IP addresses to the Edge
device WAN interfaces.
5) All the SD-WAN components are also configured with Management IP address for SSH
Access (out of band management). Management subnet is 192.168.110.x/24.
VMWare SD-WAN Edge Details (VCE):
VCE (Edge devices) has 2 interfaces: LAN Side and WAN Side. WAN Side
interfaces are
DHCP-based and lnx-router is providing the IP addresses.
• vAPP Name = VM-Network-Velo-BR1-VCE-LAN  GE1,GE2
• Subnet= 192.168.6.x/24, Gateway = 192.168.6.1
Branch Edge device has 2 WAN interfaces, WAN-1 and WAN-2
• VCE WAN-1 vAPP Name= VM-Network-Velo-BR1-VCE-WAN-1  GE3
• VCE WAN-2 vAPP Name= VM-Network-Velo-BR1-VCE-WAN-2  GE4
For this lab task, end user will select:
◦ GE1 = LAN Interface=VM Network-Velo-BR1-VCE-LAN
◦ GE3 = VM Network-Velo-BR1-WAN-1
◦ GE2 = LAN Interface=VM Network-Velo-BR1-VCE-LAN
◦ GE4 = VM Network-Velo-BR1-WAN-2
 Profiles
Profiles provide a composite of the configurations created
in Networks and Network Services. It also adds
configuration for Business Policy and Firewall rules.

Profiles have four tab pages: Profile

Overview, Device, Business Policy, and Firewall.
 Create a New Profile
The following steps are typically followed when creating a new Profile:
❑ Create a new Profile
❑ Configure Device
○ Select Network
○ Assign Authentication/DNS
○ Configure Interface Settings
❑ Enable Cloud VPN
❑ Configure Business Policy
❑ Configure Firewall
❑ Review Profile Overview
o Create a New Profile:

1.Go to Configure ->Profiles, and click the New Profile button (see image

below).

2.In the New Profile dialog, enter a Profile Name and Description in the

appropriate textboxes.
3.Click the Create button.
Profile Overview Screen 
 Configure Device
Device configuration allows you to assign segments to a Profile and configure
Interfaces to be associated with a Profile.

For segment aware profiles, there are two sections on the UI:

Segment-aware configurations (Configure Segments area of

the Device tab screen): customers can choose the segment from the drop-down
menu, select the segment, and then the configuration for that segment will display
in the Configure Segments area.

Common configurations (the lower part of the Device tab screen): features

and configurations that apply to multiple segments, which include VLAN configs,
Device Settings, Wifi and Multi-source QoS.
Segment-aware Configurations:

❑ Authentication Settings
❑ DNS Settings
❑ Netflow Settings
❑ Voice Quality Monitoring
❑ Cloud VPN
❑ OSPF Areas
❑ BGP Settings
❑ Multicast Settings
❑ Cloud Security Service
❑ Gateway Handoff Assignment
❑ Controller Assignment
❑ Visibility Mode
Common Configurations:

❑ Configure VLAN
❑ Configure Device Settings
❑ Configure Wi-Fi Radio Settings
❑ Configure Multi-Source QoS
❑ Configure SNMP Settings
❑ Configure NTP Servers
 Assign Segments in Profile
After creating a Profile, you can Select Profile Segments by clicking
the Change button as shown in the image above (Configure
Segments window).
Clicking the Change button opens the Select Segments dialog (see figure
below). In this dialog box, you can select the Segments that you want to include
in your profile.

Segments with a lock symbol next to them indicate that the Segment is in use
within a profile, and it cannot be removed. Segments available for use will be
displayed on the left side of the dialog titled, “All Segments.”
After you have selected a Segment, you can configure your Segment through
the Configure Segmentdrop-down menu.

All Segments available for configuration are listed in the Configure

Segment drop-down menu. If a Segment is assigned to a VLAN or interface, it will
display the VLAN ID and the Edge models associated with it.

When you choose a Segment to configure from the Configure Segment drop-

down, depending upon the Segment’s options, the settings associated that Segment
display in the Configure Segments area.
 Configure Cloud VPN
If a Network with a non-overlapping address is assigned to a Profile, it is assumed
for a VPN configuration and the Cloud VPN section will be available.

NOTE: Cloud VPN should be configured per Segment.

When Cloud VPN on the Profile Device tab is enabled, you can configure three
different Cloud VPN types:

Branch to Non-VeloCloud Site VPN

Branch to VeloCloud Hubs VPN
Branch to Branch VPN
 Configure Branch to Non-VeloCloud Site VPNs
You can configure Branch to Non-VeloCloud Sites by selecting
the Enable checkbox (see the highlighted area in the screen capture below).

 You can also choose one or more Non-VeloCloud Sitesby selecting

the Enable check box, and then selecting Non-VeloCloud Site from the drop-
down list. You can click the '+' button to add additional Non-VeloCloud Sites.
NOTE:The Branch to Non-VeloCloud Site VPN should not be enabled until
after the gateway for the Enterprise Data Center is configured by the Enterprise
Data Center Administrator and the Data Center VPN Tunnel is enabled.
Configure Branch to VeloCloud Hubs VPN

Configure Branch to Branch VPN

Using a VeloCloud Gateway: In this option, the closest gateway is

used to establish VPN connections between Edges. The VeloCloud
Gateway may have traffic from other users.
Using a VeloCloud Hub: In this option, one or more Edges are selected
to act as hubs that can establish VPN connections between branches. The
hub will be your asset and will only have your corporate data on it,
improving overall security.
 Rest of the Configurations 01

Configure Authentication Settings

DNS Settings
Netflow Settings
Rest of the Configurations 02 : Multicast
 Configure Multicast Settings
Multicast provides an efficient way to send data to an interested set of receivers to only one
copy of data from the source, by letting the intermediate multicast-routers in the network
replicate packets to reach multiple receivers based on a group subscription.
Multicast clients (aka receivers) use the Internet Group Management Protocol (IGMP) to
propagate membership information from hosts to Multicast enabled routers and PIM to
propagate group membership information to Multicast servers via Multicast routers.
Multicast support includes:

n Multicast support on both overlay and underlay

n Protocol-Independent Multicast - Sparse Mode (PIM-SM) on VCE
n Internet Group Management Protocol (IGMP) version 2 on VCE
n Static Rendezvous Point (RP) configuration, where RP is enabled on a 3rd party router.

Configure Multicast Globally

There are two steps to enable and configure Multicast (globally and at the interface level), in which
both can be overridden at the Edge Level. The steps below provide instructions on how to enable the
Multicast globally.
To configure Multicast globally:
1 From Configure > Profile > Devices, go to the Multicast Settings area.
2 If the Multicast Settings button is in the Off position, click the Off button to turn On Multicast
Settings. The RP Selection is set to Static by default.
Rest of the Configurations 03 : VLAN and others