HOL-2140-01-NET

Table of Contents
Lab Guidance- HOL-2140-01-NET - VMware SD-WAN - Getting Started ............................ 3
Lab Guidance .......................................................................................................... 4
VMware SD-WAN Overview - Introduction to VMware SD-WAN and Initial Configuration
Tasks (15 Minutes) ............................................................................................................ 9
Introduction........................................................................................................... 10
Overview of SD-WAN ............................................................................................. 11
VMware SD-WAN: Key components and Architecture............................................ 14
Conclusion............................................................................................................. 20
Module 1 - Understanding and Configuring User Accounts (15 Minutes) ........................ 21
Introduction........................................................................................................... 22
Understanding and Configuring User Accounts: User Access ................................ 23
Conclusion............................................................................................................. 36
Module 2 - Branch Activation using ZTP (15 Minutes) ..................................................... 37
Introduction........................................................................................................... 38
VMware SD-WAN Lab Topology.............................................................................. 39
Zero Touch Provisioning ........................................................................................ 41
Chicago Site Verification and LAN Configuration................................................... 56
Conclusion............................................................................................................. 66
Module 3 - Overlay (Auto and User Defined) (15 Minutes) .............................................. 67
Introduction........................................................................................................... 68
Terminology for Auto and User Defined Overlay ................................................... 69
Overlay and Underlay Configuration ..................................................................... 70
Conclusion............................................................................................................. 82
Module 4 - Configuring Profile (15 Minutes) .................................................................... 83
Introduction........................................................................................................... 84
Profile Creation, Assignment and Restriction ........................................................ 85
Conclusion............................................................................................................. 95
Module 5 - Business Policy Framework (15 Minutes)....................................................... 96
Introduction........................................................................................................... 97
Business Policy Framework ................................................................................... 98
Conclusion........................................................................................................... 111
Module 6 - Cloud VPN (45 Minutes)............................................................................... 112
Introduction......................................................................................................... 113
Cloud VPN Configuration ..................................................................................... 116
Conclusion........................................................................................................... 138
Module 7 - Influencing Application Behavior (DMPO) (30 Minutes) ............................... 139
Introduction......................................................................................................... 140
Application Performance (DMPO) ........................................................................ 141
Conclusion........................................................................................................... 153
Module 8 - Secure Web Gateway (15 Minutes).............................................................. 154
Introduction......................................................................................................... 155
Secure Web Gateway .......................................................................................... 157

HOL-2140-01-NET Page 1
HOL-2140-01-NET

Conclusion........................................................................................................... 171

HOL-2140-01-NET Page 2
HOL-2140-01-NET

Lab Guidance-
HOL-2140-01-NET -
VMware SD-WAN -
Getting Started

HOL-2140-01-NET Page 3
HOL-2140-01-NET

Lab Guidance
Note: It may take close to 3 hours to complete this lab. Many modules
are dependent on each other with a note explaining dependencies at the
start of each module. Modules 1, 5 and 8 are independent and more
conceptual. You can use the Table of Contents to access any module of
your choosing.

The Table of Contents can be accessed in the upper right-hand corner of

the Lab Manual.

Explore VMware SD-WAN including the key components and architecture. Review
options for troubleshooting and diagnostics.

Lab Module List:

• VMware SD-WAN Overview (15 Minutes)

• Module 1 - Understanding and Configuring User Accounts (15 Minutes)
(Basic Level) (Optional Lab)
• Module 2 - Branch Activation (ZTP) ( 15 Minutes) (Basic Level)
• Module 3 - Overlay (Auto and User Defined) (15 minutes) (Intermediate
level)
• Module 4 - Configuring Profiles (15 Minutes) (Intermediate Level)
• Module 5- Business Policy Framework (15 Minutes, Basic Level)
• Module 6 - Cloud VPN (45 Minutes, Advanced Level)
• Module 7 - Influencing Application Behaviour (DMPO)(30 minutes,
Intermediate Level)
• Module 8 - Secure Web Gateway (15 Minutes, Intermediate Level, Optional)

Lab Captains:

• Frank Synder, Senior Cloud Solution Engineer, USA

• Ferdinand Sales, Senior Technical Product Manager, USA
• Rohan Naggi, Senior Technical Product Manager, USA

This lab manual can be downloaded from the Hands-on Labs Document site found
here:

http://docs.hol.vmware.com

This lab may be available in other languages. To set your language preference
and have a localized manual deployed with your lab, you may utilize this
document to help guide you through the process:

http://docs.hol.vmware.com/announcements/nee-default-language.pdf

HOL-2140-01-NET Page 4
HOL-2140-01-NET

Optional Lab Module:

There are lab modules which are labeled as Optional. Optional means that if
you are running out of time, you can skip the lab module.


There are some lab modules which cannot be executed or validated because of
environment restriction.

Documentation will provide you with the pointers to Workflow modules.

Modules like Module 5 (Business Policy Framework) and Module 8 (Secure Web
Gateway)


Disclaimer: For over a decade, we have collaborated with Intel® to deliver
innovative solutions that enable IT to continually transform their data centers.
We have incorporated Intel® product and technology information within this
lab to help users understand the benefits of how both hardware and software
technology matter when trying to deploy in VMware’s ecosystem. We believe
that this collaboration will have tremendous benefits for our customers.

Location of the Main Console

1. The area in the RED box contains the Main Console. The Lab Manual is on the tab
to the Right of the Main Console.
2. A particular lab may have additional consoles found on separate tabs in the upper
left. You will be directed to open another specific console if needed.

HOL-2140-01-NET Page 5
HOL-2140-01-NET

3. Your lab starts with 90 minutes on the timer. The lab can not be saved. All your
work must be done during the lab session. But you can click the EXTEND to
increase your time. If you are at a VMware event, you can extend your lab time
twice, for up to 30 minutes. Each click gives you an additional 15 minutes.
Outside of VMware events, you can extend your lab time up to 9 hours and 30
minutes. Each click gives you an additional hour.

Alternate Methods of Keyboard Data Entry

During this module, you will input text into the Main Console. Besides directly typing it
in, there are two very helpful methods of entering data which make it easier to enter
complex data.

Click and Drag Lab Manual Content Into Console Active

Window

You can also click and drag text and Command Line Interface (CLI) commands directly
from the Lab Manual into the active window in the Main Console.

Accessing the Online International Keyboard

You can also use the Online International Keyboard found in the Main Console.

1. Click on the Keyboard Icon found on the Windows Quick Launch Task Bar.

HOL-2140-01-NET Page 6
HOL-2140-01-NET

Click once in active console window

In this example, you will use the Online Keyboard to enter the "@" sign used in email
addresses. The "@" sign is Shift-2 on US keyboard layouts.

1. Click once in the active console window.

2. Click on the Shift key.

Click on the @ key

1. Click on the "@ key".

Notice the @ sign entered in the active console window.

HOL-2140-01-NET Page 7
HOL-2140-01-NET

Activation Prompt or Watermark

When you first start your lab, you may notice a watermark on the desktop indicating
that Windows is not activated.

One of the major benefits of virtualization is that virtual machines can be moved and
run on any platform. The Hands-on Labs utilizes this benefit and we are able to run the
labs out of multiple datacenters. However, these datacenters may not have identical
processors, which triggers a Microsoft activation check through the Internet.

Rest assured, VMware and the Hands-on Labs are in full compliance with Microsoft
licensing requirements. The lab that you are using is a self-contained pod and does not
have full access to the Internet, which is required for Windows to verify the activation.
Without full access to the Internet, this automated process fails and you see this
watermark.

This cosmetic issue has no effect on your lab.

Look at the lower right portion of the screen

Please check to see that your lab is finished all the startup routines and is ready for you
to start. If you see anything other than " Ready ", please wait a few minutes. Please note,
the date and time would be shown as per the date of your lab taking.

If after 5 minutes your lab has not changed to "Ready", please ask for assistance.

HOL-2140-01-NET Page 8
HOL-2140-01-NET

VMware SD-WAN
Overview - Introduction
to VMware SD-WAN and
Initial Configuration Tasks
(15 Minutes)

HOL-2140-01-NET Page 9
HOL-2140-01-NET

Introduction
In this module, we will talk about VMware Software-Defined WAN and describe
what it is as well as it's associated features. We will dive into the architecture,
components, and core features.

HOL-2140-01-NET Page 10
HOL-2140-01-NET

Overview of SD-WAN
SD-WAN offers compelling advantages for distributed organizations with critical branch
operations, including the benefits of business agility, improved application performance,
and lower cost of bandwidth. In this module, we will try to highlight those advantages
and how enterprises can benefit from them.

Defining Software-Defined WAN

SD‐WAN uses software and cloud‐based technologies to simplify delivery of WAN

services to branch offices. Software‐based virtualization enables network
abstraction that results in simplification of network operations. SD‐WAN enables IT
and business managers to deploy Internet‐based connectivity (with its benefits of
ubiquity, high bandwidth and low cost) easily, quickly and with quality, reliability
and security.

SD-WAN Benefits

SD‐WAN provides a wide range of benefits for distributed organizations, including:

1. Business agility. Rapid deployment of WAN services (such as bandwidth

and firewall) to distributed branch operations without the need to send IT
personnel on‐site. Bandwidth can be easily added (with additional circuits)
or reduced as business requirements evolve.
2. Internet economics. Internet connectivity (including cable, DSL and
ethernet) is widely available, quick to deploy, and a fraction of the cost of
equivalent MPLS circuits. SD‐WAN provides the benefits of reliable, secure
WAN service at Internet price points.
3. Optimized cloud architecture. SD‐WAN eliminates the backhaul
penalties of traditional MPLS networks and leverages the Internet to provide
secure, high‐ performance connections from the branch to cloud. With
SD‐WAN, remote users will see significant improvements in their experience
when using the cloud/SaaS‐based applications.

SD‐WAN Considerations

If you’re an IT or business manager, consider the following criteria when

evaluating SD‐WAN deployments:

1. Ease of adoption and management. A key benefit of SD‐WAN is that it

makes deploying WAN services at the branch fast and simple. SD‐WAN
solutions must be straightforward to deploy, and they leverage centralized
provisioning to eliminate the need for trained personnel to visit remote
sites.
2. Ability to migrate to hybrid WAN. The majority of distributed
organizations already have MPLS deployed to the branch offices.

HOL-2140-01-NET Page 11
HOL-2140-01-NET

Organizations should be able to seamlessly deploy SD‐WAN solutions

(Internet circuits) without changing the existing MPLS network. Those
organizations can over time, migrate traffic growth toward cost‐effective
Internet bandwidth.
3. Automation – traffic steering. SD‐WAN gives organizations the ability to
prioritize traffic. The key is providing managers with easy‐to‐use tools for
setting priorities and with features that automatically changes traffic flows
according to current network conditions.

SD-WAN Features


In a nutshell, SD‐WAN

• Virtualizes the network : SD‐WAN as a network overlay enables

application traffic to be carried independently of the underlying physical
or transport layer, offering a transport‐independent overlay. Multiple
links, even from different service providers, constitute a unified pool of
resources, often referred to as a virtual WAN.
• Enables a secure overlay : SD‐WAN provides a secure overlay that is
independent of the underlying transport components. SD‐WAN devices
are authenticated before they participate in the overlay.
• Simplifies services delivery : SD‐WAN programmability does not just
cover connectivity policy, it also extends to the insertion of network
services, whether on the branch customer premise equipment (CPE), in
the cloud or in regional and enterprise data centers.
• Provides interoperability : SD‐WAN provides the ability to
incrementally add resources and interoperate with existing devices and
circuits. This capability follows directly from the separation and
abstraction of the control plane from the data plane.
• Leverages cost effective hardware : SD‐WAN improves cost
effectiveness and flexibility by leveraging commercially available
hardware and network appliances or servers. The separation of the
control plane from the data plane enables the use of standard hardware
for the data plane.
• Supports automation with business policy framework : SD‐WAN
enables the abstraction of configuration into business‐level policy
definitions that span multiple data plane components and also remain
stable over time, even as the network changes. The control plane
provides the programming flexibility and centralization over a diverse
and distributed data plane. Enterprises can expect application
awareness and smart defaults to provide further abstraction from the
detailed transport level details. Policy definitions can refer to users &
groups, the applications they should use, and what level of service they
should receive.
• Monitors usage and performance : SD‐WAN provides consolidated
monitoring and visibility across the variety of physical transports and

HOL-2140-01-NET Page 12
HOL-2140-01-NET

service providers, as well as across all remote sites. This monitoring

capability offers business‐level visibility, such as application usage and
network resource utilization. SD‐WAN adds detailed performance
monitoring across all components of the data plane.
• Supports interoperable and open networking : SD‐WAN further
improves agility, cost effectiveness and incremental migration via its
approach of open networking, interoperability, and evolving standards.
• Enables managed services : Many enterprises, even the largest,
outsource the management of their branch networks and WAN to either
managed IT providers or to their network service providers. Additionally,
some cloud application providers, such as Unified Communications as a
Service (UCaaS) providers provision and manage the circuits needed for
accessing their applications.

More information on the above topics will be discussed later in the coming
modules. You can also refer to the white-papers and reports section on the
VeloCloud website.

What SD-WAN is not


SD‐WAN is a comprehensive solution comprised of many components. It does
not include traditional WAN optimization.

• It is not just multi-link WAN bonding with path control.

• It is not just the last mile solution with a cloud gateway to provide
caching and acceleration techniques to applications.
• It is not multilayer integration of packet and optical networks in a telco
backbone.
• It is not private, dark‐fiber networking that avoids telco services.

HOL-2140-01-NET Page 13
HOL-2140-01-NET

VMware SD-WAN: Key components and

Architecture
In this lesson, we will introduce the SD WAN Solution in more detail. We will
discuss the value, components and architecture of the solution of adopting
VMware SD-WAN solution:

• Increases acceleration to cloud application adoption (O365, SFDC, AWS,

etc) with flexible traffic policies
• A fraction of the cost of an MPLS network
• Transport independent, whether private, public, even LTE
• We can improve your real time voice & video applications
• You'll have full management & visibility of your entire WAN
• Simplicity of zero-touch branch deployments
• Link remediation and correction
• Multi-tier / Multi-tenant

VMware SD-WAN is the only SD-WAN solution supporting data plane services in
the cloud, in addition to on-premise deployments; enabling policy-based access to
cloud and data center applications. SD-WAN leverages the economics of the cloud
to offer a SaaS like subscription price model to ease adoption and pay as you
grow.


The 2nd Generation Intel® Xeon® Scalable processor data-centric platform
incorporates advanced compute cores, a new memory hierarchy, connectivity,
and acceleration designed to provide high performance and infrastructure
efficiency across a wide range of network-intensive workloads. Intel claims the
new processor platform delivers up to 1.58X performance improvement over
the previous generation of Intel® Xeon® Scalable processors for network
workloads. Intel also notes that platform supports up to twice the number of
subscribers for the virtualized SD-WAN services, and up to five times more
virtual network function (VNF) capacity when complemented with Intel Quick
Assist Technology and the Intel Ethernet 800 Series Ethernet controllers.

HOL-2140-01-NET Page 14
HOL-2140-01-NET

VMware SD-WAN solution is a logical overlay network:

• That can encompass any WAN transport, whether private, public, even LTE
• Independent of any service provider
• Between any two SD-WAN nodes
• These nodes are deployed at branches and datacenters in what we call SD-WAN
Edges
• These can be appliances or virtual software appliances running on any x86 server
• This overlay is also extended to any cloud POP or datacenter with the cloud
Gateways
• These are multi-tenant virtual appliances

The first benefit is SIMPLIFYING the management of WAN's (Wide Area Networking)
especially as IT wants the flexibility to use multiple circuits all while simplifying
configuration and ongoing management. This starts with deployment also known as
zero-touch branch deployments.

The second unique benefit of our approach is to assure the performance of critical
applications.

• Over any transport, including Internet

• How does this help? VMware SD-WAN can fully leverage economical bandwidth
for significant cost reductions

Finally, we support the migration of apps to the cloud.

• With industry's unique cloud gateway architecture; the VMware SD-WAN solution
provides all the same performance, simplification and security benefits to the
doorstep of cloud applications

Architecture Overview

VMware SD-WAN is a comprehensive platform for Enterprises and Service Providers.

HOL-2140-01-NET Page 15
HOL-2140-01-NET

Enterprise Deployment

In an Enterprise deployment model with branch edges creating overlay tunnels to

gateway and hub devices. The gateways are automatically assigned based on the
edge's location. Simplified and secure VPN tunnels are established from branch to
gateway and from branch to hub devices. Also supported are dynamic branch to branch
links. Thus, the tunnels between the branches are never persistent and are built based
on the traffic requirements.

HOL-2140-01-NET Page 16
HOL-2140-01-NET

Service Provider Deployment

VMware SD-WAN supports tight integration with Service Provider network topologies.
Gateways are usually found in Service Provider MPLS networks supporting multi tenancy.
From a software functionality standpoint, nothing is lost between an Enterprise vs
Service Provider deployment; but VMware SD-WAN provides a flexibility for potential
customers to decide how they would like to deploy their SD-WAN solution.

Component Overview

HOL-2140-01-NET Page 17
HOL-2140-01-NET

The VMware SD-WAN solution has three main components:

VMware SD-WAN Edge (VCE) - These edges are the appliances which sit in the data
plane and are the workforce sending/receiving packets over the WAN. The edges can be
either physical and there are multiple edge flavors available based on bandwidth/
throughput numbers. Option is also available to deploy the edges in virtual form factor
either in VMware environment (OVA provided) or KVM (QCOW2 provided). Additionally; if
a customer desires to deploy the virtual edge in cloud; edges are available in
marketplaces of popular cloud providers such as AWS, Microsoft Azure, Google GCP,
AliCloud.

VMware SD-WAN Orchestrator (VCO) - VMware SD-WAN Orchestrator provides the

single pane of glass UI for the enterprise SD-WAN. Orchestrator can either be VMware
hosted or hosted by a Service provider. SP hosting is possible since the Orchestrator is
multi-tenant. In either case; the customer need not have to worry about the life cycle
management of the Orchestrator. Simplicity is taken seriously while designing the
Orchestrator, there is no CLI exposed. VMware SD-WAN orchestrator provides the
capabilities to configure, monitor and troubleshoot; all from a single place. REST API can
also be leveraged northbound to help integrate with existing OSS/BSS. If a customer
desires to deploy orchestrator on-premise; this can be possible as well.

VMware SD-WAN Gateway (VCG) - This component is a unique differentiator for

VMware SD-WAN solution. The gateways similar to the Orchestrator can be hosted and
managed by VMware or by Service Providers. VMware SD-WAN Gateway's are multi-
tenant. Gateways provide the control plane functionality which includes passing route
information between all the sites; dynamically leaning the WAN bandwidth for each site
and much more. Gateways can also traverse traffic and facilitate data plane
functionality. Gateways provide on-ramp to cloud based applications since the gateways
are located at SaaS locations around the world. Similar to the Orchestrator; the
gateways can also be deployed by the customers on premises.

Core Features

There are seven core features that are central to the VMware SD-WAN platform.

Core Feature #1: Zero-Touch Deployment

VMware SD-WAN Edge appliances automatically authenticate, connect, and receive

configuration instructions once they are connected to the Internet in a zero-touch
deployment. Deliver highly available deployment with VMware SD-WAN Edge
redundancy protocol. Integrate with the existing network with support for OSPF routing
protocol and benefit from dynamic learning and automation.

HOL-2140-01-NET Page 18
HOL-2140-01-NET

Core Feature #2: Dynamic Path Selection

VMware SD-WAN Dynamic Multipath OptimizationTM provides deep application

recognition, automatic link monitoring, auto-detection of provider and auto-
configuration of link characteristics, routing and QOS settings.

Core Feature #3: Link Steering and Remediation

On-demand, Per-packet link steering is performed automatically based on the measured

performance metric, intelligent application learning, business priority of the application,
and link cost. Delivers sub-second blackout and brownout protection to improve
application availability. Remediates link degradation through forward error correction,
activating jitter buffering and synthetic packet production.

Core Feature #4: Cloud VPN

One-click site-to-site cloud VPN is a VPNC-compliant IPSec VPN to connect VMware SD-
WAN and non-VMware SD-WAN sites while delivering real-time status and health of VPN
sites. Establish dynamic edge-to-edge communication for all types of branches based on
service level objectives and application performance. Deliver secure connectivity across
all branches with PKI scalable key management. New branches join the VPN network
automatically with access to all resources in other branches, enterprise datacenters,
and 3rd party datacenters, like Amazon AWS.

Core Feature #5: Multi-Tenancy

All the VMware SD-WAN components, Orchestrator and the Gateways, are multi-tenant
in nature. This allows for complete separation in operations, and separation in lines of
business for an organization leveraging SD-WAN

Core Feature #6: Segmentation

Segmentation is essential for isolating different types of traffic while maintaining

specific business policies, such as segmenting PCI traffic from corporate traffic and
guest Internet traffic. Customers can enable the creation of separate and unique
topologies and rules for each segment, and the segments are carried forward the entire
network seamlessly.

Core Feature #7: Virtual Network Function

Support virtual network function services to run on VMware SD-WAN Edge hardware,
VMware SD-WAN Gateway, in the cloud of the service provider, or at the specific
enterprise regional hub with service chaining support.

HOL-2140-01-NET Page 19
HOL-2140-01-NET

Conclusion
This concludes our first chapter on the Overview of SD-WAN. In this
module, you learned about SD-WAN and the business benefits it can help
provide your company. In the next modules, we will focus more on
VMware SD-WAN .

You've finished VMware SD-WAN overview

Congratulations on completing the SD-WAN Overview

If you are looking for additional information on VMware SD-WAN, try one of these:

• Click on this link

• Or go to https://tinyurl.com/yd7q2xs7

Below are lab modules for VMware SD-WAN.

• VMware SD-WAN Overview (15 Minutes)

• Module 1 - Understanding and Configuring User Accounts (15 Minutes) (Basic
Level) (Optional Lab)
• Module 2 - Branch Activation (ZTP) ( 15 Minutes) (Basic Level)
• Module 3 - Overlay (Auto and User Defined) (15 minutes) (Intermediate level)
• Module 4 - Configuring Profiles (15 Minutes) (Intermediate Level)
• Module 5- Business Policy Framework (15 Minutes, Basic Level)
• Module 6 - Cloud VPN (45 Minutes, Advanced Level)
• Module 7 - Influencing Application Behaviour (DMPO)(30 minutes, Intermediate
Level)
• Module 8 - Secure Web Gateway (15 Minutes, Intermediate Level, Optional)
• Module 9 - VMware SD-WAN Product and Features Tour (15 Minutes, Optional)

How to End Lab

To end your lab click on the END button.

HOL-2140-01-NET Page 20
HOL-2140-01-NET

Module 1 - Understanding
and Configuring User
Accounts (15 Minutes)

HOL-2140-01-NET Page 21
HOL-2140-01-NET

Introduction
VMware SD-WAN Orchestrator Access

VMware Orchestrator gives a unified view to Manage and Monitor customers.

Depending on user type and role, user will have access to the Orchestrator. User
Accounts give access to the VMware SD-WAN Orchestrator for managing,
monitoring and troubleshooting task. At high level, there are 2 types of user
accounts, Operator administrator with Super User level access and Standard
administrator.

Super user administrator has access to all the customers hosted on the
Orchestrator. They can create,configure and modify other user accounts, operator
profiles and more.

Standard administrator has access to a single tenant customer. Enterprise/

Standard Administrators page displays the existing admin users. Standard
Administrator Superusers and Standard Administrators can create new admin
users with different role privileges and configure API tokens for each admin user.
The Administration option in the Enterprise portal allows you to configure the
System settings, Authentication information, create Admin users, and manage
Edge licenses.

HOL-2140-01-NET Page 22
HOL-2140-01-NET

Understanding and Configuring User

Accounts: User Access
Objective: Create and configure standard Enterprise administrator account to access
VMware SD-WAN Orchestrator.

You will learn to differentiate different type of VCO (Orchestrator) accounts. This exercise
is very helpful when running a PoC (Proof of Concept) at customer site. End user will log
on using these Read only and Read write accounts and verify by accessing different VCO
objects like Monitoring, Configuration, and troubleshooting.


In this module we will be working on three main tasks

In this lab, end user will perform the following tasks:

Task 1: Create and Configure Read-Only Account

Task 2: Create and Configure Read-Write Account

Task 3: Create and Configure Customer Support Account

Task 1: Create and Configure Read-Only Account


Summary Steps:

1. Create different types of account, in this case Read-Only

2. Verify by logging as the new account and check for access details.

Expected result with the READ-ONLY account: With Read only account type, end
user will be not be able to access the configure and Troubleshooting UI.

HOL-2140-01-NET Page 23
HOL-2140-01-NET

Open Chrome

From your lab pod, access the chrome browser

VMware SD-WAN Orchestrator

Login to the Orchestrator using the Standard Enterprise account:

• Username: [email protected]

HOL-2140-01-NET Page 24
HOL-2140-01-NET

• Password: VMware1!

Administration

In the navigator pane on the left, click Administration > Administrator > New
Admin

New Admin

1. Username: [email protected]
2. Password: VMware1!
3. Account Role: Enterprise Read Only
4. First Name: admin-ro
5. Create

HOL-2140-01-NET Page 25
HOL-2140-01-NET

Save Changes

Click the Save Changes button.

Sign Out

To verify, Sign Out and login as the new account.

Login

Login as [email protected]

HOL-2140-01-NET Page 26
HOL-2140-01-NET

Expected Result

1. In the navigator pane on the left, click Administration > Administrator

2. Click on New Admin

Expected result: With Read only account, Standard admin [email protected]

will be able to monitor the sites and will not be allowed to do any configuration changes.
With Read only account type, end user will be not be able to access the configure and
Troubleshooting UI.

Sign Out

To prepare for Task 2, sign out as [email protected].

Task 2: Create and Configure Read-Write Account


Summary Steps:

1. Create different types of account, in this case Read-Write

2. Verify by logging as the new account and check for access details.

HOL-2140-01-NET Page 27
HOL-2140-01-NET

Expected result with the READ-Write account: End user with the new Standard
admin (Read Write account) should be able to Monitor and Configure objects
from the VCO.

Login to the Orchestrator using the Standard Enterprise account:

• Username: [email protected]
• Password: VMware1!

Administration

1. In the navigator pane on the left, click Administration > Administrator

2. Click on New Admin

HOL-2140-01-NET Page 28
HOL-2140-01-NET

New Admin

1. Username: [email protected]
2. Password: VMware1!
3. Account Role: Standard Admin
4. First Name: admin-rw
5. Create

Save Changes

Save Changes for the [email protected] account configuration

HOL-2140-01-NET Page 29
HOL-2140-01-NET

Sign Out

To verify, Sign Out and login as the new account.

Log in

Login as [email protected], with the password of VMware1!

HOL-2140-01-NET Page 30
HOL-2140-01-NET

Expected Result

Expected result: With Read Write Standard Administrator account, Standard

admin [email protected] will be able to monitor, Configure and Troubleshooting
task from the VMware SD-WAN Orchestrator.

Sign Out

To prepare for Task 2, sign out as [email protected].

HOL-2140-01-NET Page 31
HOL-2140-01-NET

Task 3: Create and Configure Customer Support Account


Summary Steps:

1. Create different types of account, in this case Customer Support

2. Verify by logging as the new account and check for access details.

Expected result with the Customer Support account: End user with the
Customer support account can view but not manage objects from the
VCO.

Login to the Orchestrator using the Standard Enterprise account:

• Username: [email protected]
• Password: VMware1!

Administration

1. In the navigator pane on the left, click Administration > Administrator

2. Click on New Admin

HOL-2140-01-NET Page 32
HOL-2140-01-NET

New Admin

1. Username: [email protected]
2. Password: VMware1!
3. Account Role: Customer Support
4. First Name: admin-cs
5. Create

Save Changes

Save Changes for the admin-cs account

HOL-2140-01-NET Page 33
HOL-2140-01-NET

Sign Out

To verify, Sign Out and login as the new account.

Log in

Login as [email protected], with the password of VMware1!

Expected Result

HOL-2140-01-NET Page 34
HOL-2140-01-NET

From the VMware SD-WAN Orchestrator, Click on Configure tab, End user
should not be able to change any configuration.

Expected result: With Customer Support account, [email protected] will be

able to monitor, Troubleshoot and only view configuration from the VMware SD-WAN
Orchestrator.

After the task is verified, Sign Out and login back as [email protected]

HOL-2140-01-NET Page 35
HOL-2140-01-NET

Conclusion
In this module we have successfully configured and understood the
different user accounts .

End User will be clearly able to differentiate between account types like
Read only, Standard admin and Customer support account and will be
able to apply the knowledge in the field.

You've finished Module 1!

Congratulations on completing Module 1!

If you are looking for additional information on VMware SD-WAN by VeloCloud, try one of
these:

• Click on this link

• Or go to https://tinyurl.com/yd7q2xs7

Proceed to next lab module

• Module 2 - Branch Activation (ZTP) (15 minutes) (Basic)

Module 2 is a Mandatory task

How to End Lab

To end your lab click on the END button.

HOL-2140-01-NET Page 36
HOL-2140-01-NET

Module 2 - Branch
Activation using ZTP (15
Minutes)

HOL-2140-01-NET Page 37
HOL-2140-01-NET

Introduction
VMware SD-WAN by VeloCloud™ enables quick and cost-effective deployment of
new branches, provides Enterprise-grade WAN by leveraging broadband and
private links, and offers a platform for Virtual Service delivery.

VMware SD-WAN Edge appliances automatically authenticate, connect, and

receive configuration instructions once they are connected to the Internet in a
zero-touch deployment. Deliver highly available deployment with VMware SD-WAN
Edge redundancy protocol. Integrate with the existing network with support for
OSPF routing protocol and benefit from dynamic learning and automation.


This is NOT an optional Lab module. This lab module has an dependencies on
upcoming labs like Cloud VPN. Do not skip this lab module. Activate and
Configure LAN side.

HOL-2140-01-NET Page 38
HOL-2140-01-NET

VMware SD-WAN Lab Topology

Below is a representation of the full topology you will use to complete this lab. Feel free
to come back here if you need a refresher of the topology.

IPs that would be useful would be the client IPs as well as the DC's client IP. Majority of
the verification is done using chicago client RDP session.

IPs which would be useful to jot down:

DC Client IP - 10.101.1.11

CHI Client - 10.24.1.11

HOL-2140-01-NET Page 39
HOL-2140-01-NET

LAX Client - 10.22.1.11

HOL-2140-01-NET Page 40
HOL-2140-01-NET

Zero Touch Provisioning


In this module we will be working on two main tasks:

1. Activation for a new Branch site.

2. Configuring LAN side of the Edge Device.

Activation for a new Branch site

Before starting the lab, let us understand the VMware SD-WAN Zero Touch
Provisioning feature

The current lab focuses on the Pull Activation process. In this Pull Activation
model, the Edge device is shipped to the customer site with a factory-default
image. Prior to activation, the Edge contains no configuration or credentials to
connect to the enterprise network.

Two simple steps for the Activation of Edge device: (A) Provisioning & (B)
Activation

Provisioning: On the Orchestrator, the Enterprise administrator (operator)

creates a new Edge in the customer account. At this time, an activation key is
generated which can be emailed to the person installing the device.

HOL-2140-01-NET Page 41
HOL-2140-01-NET

Activation: The person (remote admin) installing the device will receive both an
activation email as well as instructions to complete the installation. Part of these
instructions is to connect power and Internet links to the device. The installer next
connects to a temporary wireless network the Edge emits or connects to one of
the wired LAN ports and opens the activation email and clicks on the activation
link. At this time, the Edge will phone home to the Orchestrator and bind itself to
the correct enterprise and profile context. At this point the Edge downloads all
relevant policies, updates and settings and makes these effective.

By the end of the lab, the Virtual Edge device status from the Orchestrator will show as
Activated. All the WAN link information will get auto-populated with the activation
process.

In this lab exercise, Virtual edge is used for activation.

• Orchestrator is hosted and managed by VMware SD-WAN. End user will use the
VMware SD-WAN Orchestrator (VCO) for Provisioning the Branch Site
• An un-activated Edge device (Virtual Edge) is used for Activation
• Edge device has two WAN Internet links. DHCP based IP on WAN side
• Client machine to access the local UI of the edge device


VeloCloud Orchestrator (VMware SD-WAN Orchestrator), also referred to as VCO
in the lab

HOL-2140-01-NET Page 42
HOL-2140-01-NET

Topology


The following information will be used to configure the virtual edge in the lab.

• Site name = CHI-VCE-01

• Profile = Default System Profile = Quick Start Profile
• Dual WAN links
• LAN IP address=10.24.1.x/24
• Chicago Branch site is with virtual edge device and a client machine
(Windows based)

With the successful activation, ISP name, IP address, interface and the
bandwidth for each of the WAN links will be auto discovered. This is done by
the Edge device running a WAN bandwidth test with the SD-WAN Gateway
component.

Provisioning and Activating an new Branch site

In this exercise, End user will activate a Branch site. Branch site has a Virtual Edge with
2 internet links connected. Internet links have DHCP based WAN addresses. Once the

HOL-2140-01-NET Page 43
HOL-2140-01-NET

edge device is activated successfully, all the WAN information is auto-discovered and
pre-populated.


Read before you start

For this lab exercise, Activation process requires access to email client and
server. As we don't have access to email, end user will copy the activation URL
from the Orchestrator and paste into CHI-VCE-01's windows client chrome
browser.

Client machine is connected to the LAN side of the edge device.

Provisioning the Site

Provisioning the Site starts with logging on to the VMware SD-WAN Orchestrator as an
Enterprise administrator and creating the site.

1. Double click on the Chrome browser to access the Orchestrator (VCO)

HOL-2140-01-NET Page 44
HOL-2140-01-NET

Sign In

1. Ensure the credentials are: Username: [email protected], Password

should be auto-populated; if for any reason it is not, use "VMware1!"
2. Click "Sign In" to continue.


You are now logged in as the "Super User" for the Enterprise " Global Retail". As
a Super User, you are able to add and configure new edge devices.


Please Read :
For security reasons, the lab does not have access to the internet. There will be
no Map view displayed. It might show as Loading Map view. Ignore the screen
without the Map and continue with the lab exercise.

Screen shot with Map view is provided for your reference.

HOL-2140-01-NET Page 45
HOL-2140-01-NET

Monitoring Interface

• The interface shows customer name "Global Retail, Inc" which is part of
Dynamic MSP; along with a total of 6 Sites with a geographical map and a list
view.
• Under Monitor-> Edges, you'll see a summary view for all the sites managed by
VCO.
• Details on each managed edge can be found here.
• Each site statistics can be accessed separately by clicking on the site name.

Configure

1. Click on Configure
2. Click on New Edge

HOL-2140-01-NET Page 46
HOL-2140-01-NET

Profiles provide a composite of the configurations created in Networks and

Network Services. It also adds configuration for Business Policy and Firewall
rules. Profiles have four tab pages: Profile Overview, Device, Business
Policy, and Firewall.

Provisioning a New Edge

For this step, Enterprise administrator will create a new Branch Site and assign the
model and profile or the edge device.

1. Name=CHI-VCE-01
2. Model=Virtual Edge (from the drop down, select the Virtual Edge)
3. Profile=Quick Start Profile (from the drop down menu, select the profile)
4. Authentication: Certificate Disabled (from the drop down menu, select
authentication).
5. Click Set Location: For this lab exercise, manually enter the location
1. Type: Chicago
2. Click Search so it will populate the longitude and latitude
3. Click OK

6. Click on Create


When searching for Chicago during this activation, it's possible that the
Latitude and Longitude may not populate, preventing activation from being

HOL-2140-01-NET Page 47
HOL-2140-01-NET

successful. This is due to the fact that the labs have limited Internet
connectivity for security purposes. If activation fails, please manually specify
the Latitude and Longitude. Latitude = 41.88, Longitude = -87.63

Provisioning

The site is created and the status for the site is "Pending".

Activation Key is generated and this Activation key is sent to the remote user an link in
the email.

Remote user (non IT person) needs to have access to the Edge device (physical or
virtual).

1. Click on "Send Activation Email" to send the email to the remote administrator.

HOL-2140-01-NET Page 48
HOL-2140-01-NET

Sending Activation Email

1. Click Send.

The Remote admin, as part of the activation process, will power on the device and follow
the simple instructions specified in the email to activate the site. The activation URL
contains the VMware SD-WAN Orchestrator information as well as the unique UUID for
secure identification.

2. Since, the email server is not set up in the lab environment; make sure you copy
the Activation URL.

Activate Site:

After provisioning the site, we need to activate the site. In this step, Activation link is
sent over email to the remote admin who has access to the edge device.

HOL-2140-01-NET Page 49
HOL-2140-01-NET

In a real world scenario, Enterprise administrator / Super User provisions the

site and emails the activation link to the remote user. Edge device is drop
shipped to the remote location. As a next step, remote admin will connect his/
her laptop to the edge device using Wireless or Wired connection and click on
the activation link provided in the email.

As the lab environment does not have access to email server/client, our
workaround is to access the activation link from the client machine. Client
machine in this case is already connected to Edge device and has access to
VCO.

Minimize Chrome

For this lab, the windows client machine (Chicago Client machine) should be accessed
from the HOL main screen.

1. Minimize the Orchestrator browser window.

HOL-2140-01-NET Page 50
HOL-2140-01-NET

Open chi-client (RDP client)

1. Double click on the "Chi-client-rdp" icon from the HOL main window. This will
connect us to a client which is running behind the CHI-VCE-01 edge device. In
real world; one would connect to the edge either using the edge's built in WIFI
using smartphone, laptop , any other device or using the physical LAN cable and
connecting a laptop directly to the edge device.

Chicago Client Windows Home Page

1. Click on the Google Chrome shortcut icon from the Chi-client windows home
page.
2. Now, paste the activation key which was copied in last step as part of "send
activation email" step.

HOL-2140-01-NET Page 51
HOL-2140-01-NET

3. The activation URL will look different in your case; as the activation key is unique
per edge; but the Orchestrator IP would be - 10.255.1.11
4. After pasting the activation link as shown below, in the browser; press "Enter"


Use Paste and Go from the browser

Paste URL

Now, paste the activation key which was copied in last step as part of "Send Activation
Email" step.

1. Right click and select Paste and go to...

HOL-2140-01-NET Page 52
HOL-2140-01-NET

Client Activation

Local UI opens up in a new browser tab. All the information related to activation like
Orchestrator IP Address, Activation key gets auto-populated. End user does not have to
type in all of this information.

As this is a lab environment, Certificate Error should be ignored.

1. Click on Advanced
2. Click the Ignore checkbox for Certificate Error.
3. Click Activate

You will see activation getting started and a software update taking place. This happens
because the factory default version is different than what the version is desired on the
edge to run. Hence, during the activation; along with the configuration pull (using
default Quick start profile) from Orchestrator; the edge also will perform any software
updates if required.

You might have to wait for approximately 60-120 seconds for the activation process to
complete. The time taken here is mainly for software update.

HOL-2140-01-NET Page 53
HOL-2140-01-NET

Activation


Real World Tip: Make sure in the field "Internet Status" is connected. Activation
process will fail if the internet status is not connected.

The Activation process starts. The Edge device calls home to Orchestrator over the
internet link, identities ( security tokens) are exchanged, and the activation process is
successful.

HOL-2140-01-NET Page 54
HOL-2140-01-NET

Return to Orchestrator

1. Minimize the "Chi-client" RDP screen.


We are accessing Orchestrator from the host machine.

Return to Orchestrator

1. Click the Close button.

HOL-2140-01-NET Page 55
HOL-2140-01-NET

Chicago Site Verification and LAN

Configuration
The next Step is to Verify the Status for the Chicago Site which was brought up as
part of Zero Touch Provisioning.

Verifying the Site Status

Expected Behavior: Single WAN Link GE3 should show up as WAN-1 link with IP
address address 198.18.14.11

In real world scenario, ISP name will get auto discovered.

Chicago Site Link Status and WAN Details

1. Click on Monitor->Edges
2. Confirm the Chicago Branch Site shows the Status as Active (Green status)
3. Link with IP Address and interface information and Green status


As the lab environment have limited or no internet access, you might not see
the WAN ISP link names getting auto populated. You will see the IP addresses
for the WAN ISP Link (in this case 198.18.14.11)

Hover the mouse cursor over the WAN Link field

HOL-2140-01-NET Page 56
HOL-2140-01-NET

As this is a lab environment with no or limited internet access, lab pod might
not auto resolve the ISP names. End user in the lab environment will only see
the IP address for the links and not the ISP names.

ISP names will not auto populate in lab environment.

CHI-VCE-01

Click on CHI-VCE-01 to get more details on the Bandwidth and WAN Impairments.

Detailed View

HOL-2140-01-NET Page 57
HOL-2140-01-NET

Detailed view shows Status as connected and also shows the Bandwidth (upload and
download) information for the WAN Link.


All the WAN link related information is auto-populated for the end user. End
user does not have to provide ISP IP address, Interface details, or Bandwidth as
part of the activation process.

Also, the current statistics related to WAN throughput are provided. You will
notice the Throughput numbers keep changing.

This is done by the Edge device running WAN bandwidth tests with the SD-WAN
Gateway component.

This concludes Chicago site verification and confirms a successful zero touch
provisioned activation.

Configuring LAN side of the Edge device


This lesson will help you understand how to configure the edge device.

In this exercise, we will configure the LAN side for the edge device. Client
machines which are part of the LAN subnet will use the Edge device to get
Internet connectivity.

For this lab, you will configure the LAN subnet and also enable the Edge device
to be the DHCP server for LAN subnet.

Configuration can also be performed on a unactivated edge device. When the

edge device gets activated, Orchestrator will push the configuration to the
edge device

 • Site Name = CHI-VCE-01

• Branch site in this case is Activated
• Client machine name is Chicago Client machine. This machine is
accessed RDP from the HOL main window.
• LAN side Subnet is 10.24.1.x/24

HOL-2140-01-NET Page 58
HOL-2140-01-NET

Topology

Configure the Edge Device

1. Click on Configure
2. Click on CHI-VCE-01

HOL-2140-01-NET Page 59
HOL-2140-01-NET

Device

1. Click on the Device tab

Configuring VLAN

Scroll down on the device tab to access the VLAN configuration

1. Click on Edit to configure the LAN Subnet

HOL-2140-01-NET Page 60
HOL-2140-01-NET

VLAN

1. Enter the Edge LAN IP address as 10.24.1.1

2. Click on the network address, it will be auto-filled
3. Scroll down and Click on "Update VLAN" button


GE1 and GE2 are part of VLAN1 (LAN Segment)


Depending on your enterprise network, you will configure the DHCP client
address range, lease time, and other DHCP Options.


Optional Step: You could put the Management interface in the same subnet as
the LAN subnet.

How to put the management IP address in the same subnet as LAN segment
(VLAN1)?

By clicking on "Enable Edge Override" and changing the management IP to

10.24.1.2

HOL-2140-01-NET Page 61
HOL-2140-01-NET

Save Changes

Click on Save Changes

Verification Step

In this step, End user will verify by connecting the machine on the LAN segment of the
edge device.

Expected result is to have the client machine be able to ping the VLAN configured on
the CHI-VCE-01

Open chi-client

HOL-2140-01-NET Page 62
HOL-2140-01-NET

Let us access the windows client machine from the RDP shortcut from the HOL main
window. Minimize the browser window.

1. Double click on the Chicago Client RDP session to get the CLI Access for the
client machine.

This machine is pre-wired and connected to the GE1 interface of the edge device.

Open Command Prompt

1. Command Prompt is located at the bottom toolbar in the Chi-client windows

machine

Ping

Try to see if ping works to 10.24.1.1 which is the VLAN IP configured on the CHI-VCE-01
before.


VMware SD-WAN Edge (VCE) may be enabled as a DHCP Server to provide IP
addressing from a pool of available IP addresses, or it may be configured as a
DHCP Relay. When configured as a DHCP server, the following options are

HOL-2140-01-NET Page 63
HOL-2140-01-NET

supported: Time Offset (2), DNS Server(6), Domain Name (15), Time Servers
(42), TFTP Server (66), Boot File Name (67), Domain Search (119), or Custom.
The Custom option allows a customer-defined text or numeric data type and
code.

Confirm Network Configuration

Type in the command prompt:

netstat -rn

Expected result should be that the Default gateway should be 10.24.1.1 ( edge device
IP ) and GE1 on the client machine should be part of 10.24.1.x subnet.

Exit Chicago RDP Session

Close the Command prompt screen

Minimize the chi-client-01-corp-local RDP session

HOL-2140-01-NET Page 64
HOL-2140-01-NET

This concludes the lab exercises for Module 2.

HOL-2140-01-NET Page 65
HOL-2140-01-NET

Conclusion
In this module we have successfully provisioned a new branch site using
Zero Touch Provisioning and we have also configured the netwok access
for the edge device and verified connectivity

You've finished Module 2!

Congratulations on completing Module 2!

If you are looking for additional information on VMware SD-WAN by VeloCloud, try one of
these:

• Click on this link

• Or go to https://tinyurl.com/yd7q2xs7

Proceed to any module below which interests you most.

• Module 3 - Overlay (Auto and User Defined) (15 minutes)

This is an NOT an optional Lab module. To execute Module 4 and beyond, Do

complete all the task activity for Module 2

How to End Lab

To end your lab click on the END button.

HOL-2140-01-NET Page 66
HOL-2140-01-NET

Module 3 - Overlay (Auto

and User Defined) (15
Minutes)

HOL-2140-01-NET Page 67
HOL-2140-01-NET

Introduction
Focus for this lab exercise is to understand the difference between public and
private SD-WAN overlay.

Understand the terminology, Public and Private Overlay, Auto and User
Defined Overlay.

This Module contains the following lessons:

• Understand the terminology, Public and Private Overlay, Auto and

User Defined Overlay.
• How to Configure Auto defined Overlay for Internet Only site
• How to check Auto defined overlay and User defined overlay


Task 1 is a MUST to be executed. If you are going to continue with other lab
task, make sure you configure the lab task

• How to Configure Auto defined Overlay for Internet Only site (Chicago
Site)

HOL-2140-01-NET Page 68
HOL-2140-01-NET

Terminology for Auto and User Defined

Overlay
Public Overlay (Auto Defined Overlay)

The VMware SD-WAN Edge uses interfaces that can be used to simultaneously route to
the underlay and establish SD-WAN Overlay.

A single routed interface can also have multiple public and/or private overlays allocated
to it, separated by 802.1q VLAN tags.

A public WAN overlay is defined as one that runs over a public underlay network
where a VMware SD-WAN Gateway is reachable.

A public SD-WAN overlay is auto-detected (automatically) detected and created on each

edge when an interface to a public network comes up, and after a successful
negotiation with a VMware SD-WAN Gateway. SD-WAN edge device sends tunnel
negotiation message to

VMware SD-WAN gateways. This step happens after the successful activation of the
edge device.

Private Overlay (User Defined Overlay)

By default, in a hosted deployment, orchestrator and gateways are hosted in the public
internet. There are no gateways in the private WAN.

Private WAN overlay is user-defined and is carried over a private network where a
VMware SD-WAN Gateway is not reachable. In this case, edge device needs to provide
the next hop information to next hop device for building up the private overlay tunnel.


By Default, all VMware SD-WAN Edges will build up an Overlay tunnel (SD-WAN
overlay) to the VMware SD-WAN Gateway’s


In the next module we will be working on these main tasks

In this lab, end user will perform the following tasks:

Task 1: How to check on Auto Defined Overlay

Task 2: How to check on User Defined Overlay

HOL-2140-01-NET Page 69
HOL-2140-01-NET

Overlay and Underlay Configuration

Public Overlay (Auto Defined Overlay)

The VMware SD-WAN Edge uses interfaces that can be used to simultaneously route to
the underlay and establish SD-WAN Overlay.

A single routed interface can also have multiple public and/or private overlays allocated
to it, separated by 802.1q VLAN tags.


By Default, all VMware SD-WAN Edges will build up an Overlay tunnel (SD-WAN
overlay) to the VMware SD-WAN Gateway’s

Private Overlay (User Defined Overlay)

By default, in a hosted deployment, orchestrator and gateways are hosted in the public
internet.

There are no gateways in the private WAN.


In this module we will be working on these main tasks

In this lab, end user will perform the following tasks:

• Task 1: How to configure Auto Defined overlay for Public internet link
• Task 2: How to check on Auto Defined Overlay
• Task 3: How to check on User Defined Overlay

Do not skip Lab Task 1

• Task 2 and Task 3 are Optional

Task 1: How to Configure Auto Defined Overlay for Public

Internet link

For this Lab task, We will configure CHI-VCE-01 public WAN link on GE4 interface.

A public WAN overlay is defined as one that runs over a public underlay network
where a VMware SD-WAN Gateway is reachable. A public SD-WAN overlay is auto-
detected (automatically) and created on each edge when an interface to a public
network comes up, and after a successful negotiation with a VMware SD-WAN Gateway.

HOL-2140-01-NET Page 70
HOL-2140-01-NET

SD-WAN edge device sends tunnel negotiation message to VMware SD-WAN gateways.
This step happens after the successful activation of the edge device.

Summary Task:

1. Configure the Public WAN interface with Auto detect.


For Private overlay, it is a 2 step process

1. Enable the Private interface with User defined overlay

2. Configure User defined overlay.

Configure Edges

1. Click on Configure > Edges

2. Click on CHI-VCE-01 branch site

Device

1. Click on Device Tab

HOL-2140-01-NET Page 71
HOL-2140-01-NET

Interface Settings

1. Scroll down to Interface Settings

2. Click on Edit for GE4 interface

Override and Enable Interface

1. Enable checkbox Override Interface for GE4 Interface

2. Verify the box next to Interface Enabled is checked

HOL-2140-01-NET Page 72
HOL-2140-01-NET

Addressing Type

Edit GE4 with following information,

• Addressing type: Static

• IP address: 198.18.15.11
• CIDR: 24
• Gateway 198.18.15.1
• WAN Overlay: Auto-detect Overlay

Update GE4

1. Save the configuration for the interface by clicking update GE4

HOL-2140-01-NET Page 73
HOL-2140-01-NET

Save Changes

Scroll to the top of the page and save the configuration by clicking Save Changes.

Verify Settings


As this is a public internet link, Auto defined overlay will be triggered between
Chicago WAN link GE4 and VMware SD-WAN Gateway.

HOL-2140-01-NET Page 74
HOL-2140-01-NET

There are no Gateways over private link (user defined overlay)

Validation: Go To Monitor > edges > List page will show 2 WAN Links.

This will take approx 2-3 minutes for both the links to show up in this lab environment.

Task 2: Auto Defined Overlay

This will help us understand the overlay which gets build up automatically from
SD-WAN edge device to the Gateway on the public internet link. The end user has
the flexibility of enabling hub and then establishing overlays to Hub site too.

Remember the next hop in an auto defined overlay is the VCG (VMware SD-WAN
Gateway) and in case of user defined on private link, next hop is the next hop
device (router). There is no VCG on private link

For Chicago Branch site with public internet link shows Auto detect WAN overlay.


In this lab task, we will use the Test and Troubleshoot from VCO to check for
the overlay from branch site and DC site to Gateway.

HOL-2140-01-NET Page 75
HOL-2140-01-NET

Summary Steps:

By default, Sites with Internet links will establish an overlay to the Gateway. We
are going to use the Orchestrator (VCO) UI to verify the same.

Showcase Internet Overlay from Chicago Site to VCG

By default, all sites with Public internet links will build up secure overlay on internet link
to gateway. This can be verified from List paths under test and troubleshoot.

1. Use Test and Troubleshoot - > Remote Diagnostics-- >

Chicago Site

HOL-2140-01-NET Page 76
HOL-2140-01-NET

Click on Chicago Site (CHI-VCE-01).

Waiting for Edge...

This will take a minute or two to complete.

List Paths

1. Go down the tool list and click on List Paths. List Paths should show only VCG
(Velocloud Gateway) in the path.
2. Click Run


For Chicago Branch site with dual internet link, 4 Overlay will be up and
running from the branch site to VCG’s (VeloCloud Gateway).

Why 4 Tunnels (SD-WAN Overlay) ?

• There are 2 WAN links and 2 VMware SD-WAN Gateway's.

• Each WAN link will trigger SD-WAN overlay tunnel to Primary and
Secondary Gateway.

For example:

• Tunnel-1 from WAN Interface GE3 to VMware SD-WAN Primary Gateway

-1

HOL-2140-01-NET Page 77
HOL-2140-01-NET

• Tunnel-2 from WAN Interface GE3 to VMware SD-WAN Secondary

Gateway-2
• Tunnel-3 from WAN Interface GE4 to VMware SD-WAN Primary Gateway
-1
• Tunnel-4 from WAN Interface GE4 to VMware SD-WAN Secondary
Gateway-1

Results


Remote IP in this case are the VMware SD-WAN gateway's

Task 3: User Defined Overlay

A Private WAN overlay is user defined and is carried over a private network where
a VMware SD-WAN gateway (VCG) is not reachable.

In this case, edge device needs to provide the next hop information to next hop
device for building up the private overlay tunnel.

In our lab, Branch sites like Dallas, NYC are with private links and need to be
defined as User defined overlay on WAN Private links (MPLS)


For interfaces attached to a private underlay, the setting for WAN overlay in
Configure > Edge > Dallas Branch Site > Device Tab > GE4 interface
must be set to User-defined Overlay.

After configuring User defined overlay, following steps happens,

HOL-2140-01-NET Page 78
HOL-2140-01-NET

a. This will instruct the edge to pass the interface IP address associated with
user defined information to the orchestrator.

b. The orchestrator in turn will pass this information to other edges with that
are configured for user defined overlay, so those VMware SD-WAN edges can
learn tunnel endpoint IP address over the private network, needed when
building an SD-WAN overlay.

User defined overlay for private link like MPLS is a 2 step process

(A) Defining User defined overlay for the Private link and

(B) Configuring User defined overlay.

Dallas Branch Site

Access the Dallas Branch site from Configure Tab and check the Overlay type as User
defined.

1. Click Configure, then Edges

2. Click on DAL-VCE-01

HOL-2140-01-NET Page 79
HOL-2140-01-NET

Device Tab

1. Click on the Device tab

Verify Private Link

1. Scroll down to the Interface Settings section

2. Check for the Private link interface, GE4


For this lab, the private link is pre-configured for the end user. This is for the
understanding of Private overlay.

HOL-2140-01-NET Page 80
HOL-2140-01-NET

Defining User Defined Overlay

Also check for the WAN settings on GE4.

Configuring User defined overlay


These settings are required on private link

Exit out of the Dallas branch site without doing any configuration changes.

HOL-2140-01-NET Page 81
HOL-2140-01-NET

Conclusion
In this module we have successfully understood the WAN overlay. Auto
and User defined overlay

You've finished Module 3!

Congratulations on completing Module 3!

If you are looking for additional information on VMware SD-WAN by VeloCloud, try one of
these:

• Click on this link

• Or go to https://tinyurl.com/yd7q2xs7

Proceed to any module below which interests you most.

• Module 4 - Configuring Profiles (15 Mins)

How to End Lab

To end your lab click on the END button.

HOL-2140-01-NET Page 82
HOL-2140-01-NET

Module 4 - Configuring
Profile (15 Minutes)

HOL-2140-01-NET Page 83
HOL-2140-01-NET

Introduction
End-user will learn on Creating and Configuring Profiles and adding multiple edges to
the profile for Configuration. Profile is more like a configuration template.

Also, lab tasks like putting restrictions on Profiles, creating and configuration of
segment-based profiles are covered which will help end-user at customer and can be
used as a best practice.


Task 3: Assigning Edges to Profile is MUST. Do not skip this lab task. Task 1 and
Task 2 are optional.

If you are going to continue with other lab tasks, do execute Task 3

HOL-2140-01-NET Page 84
HOL-2140-01-NET

Profile Creation, Assignment and

Restriction
The goal of this exercise is to create a new profile from the Orchestrator. The solution
works with the concept of 'profile' to group together VMware SD-WAN Edges (VCEs)
that operate in a similar fashion. A profile can be compared to a template on how the
branch should operate and contains a base set of policies and device settings that are
common across all VCEs associated to the profile. Adjustments can be made to each
individual edge as well to accommodate exception cases, however, the advantage of
profiles is that changes to profiles will be made effective to all VCEs associated to it. As
such changes in security posture would become effective on all edge in the profile in
less than 1 minute after modifying the profile.Profiles include, but are not limited to, the
following settings:

• VPN settings that control how to secure traffic within the corporate realm
• Firewall settings that control which applications are allowed on the network as
well as how to log violations
• Business policy settings that control how applications flow through the network
and are treated from a priority perspective.

Task 1: Segment Based Profile Creation

From the HOL main window page; go back to the VMware SD-WAN Orchestrator web
page.

1. Click on the Configure tab

2. Click on Profiles
3. Then New Profile...

HOL-2140-01-NET Page 85
HOL-2140-01-NET

New Profile

A new pop up screen will open up, provide a name for the profile and create.

1. Name: New Segment Profile

2. Click on "Create"

A new profile will be created named "New Segment Profile" seen under Configure >
Profiles tab


Now the end user should be able to assign the edges to the newly created
profile by using Action button


You can also click on existing profile to duplicate the profile creation. With this
all the configuration from existing profile gets copied over to the new profile.

HOL-2140-01-NET Page 86
HOL-2140-01-NET

Profile Overview

Profile configuration summary can be viewed from Profile overview.

Task 2: Use of Profile Restriction

Objective: End user will learn on how to put restriction on the Profile.

As part of this lab exercise, end user will create a profile and configure the profile with
Virtual Edge only.

All the other Hardware(HW) type are exempt from the profile. End user will then verify
by adding a Hardware edge device (VCE) to this profile and end result should fail.

HOL-2140-01-NET Page 87
HOL-2140-01-NET

Summary Steps:

1. Configure > Profiles > Create new profile

2. Modify the profile with Virtual Edge device

3. Create a New site with HW edge device model.

4. End result should fail. End user will not be allowed to add a site with HW device to
this new profile.

New Profile

1. Click Profiles
2. Then New Profile...

New Profile

1. Name the New Profile: Branch Virtual Profile

2. You may also add an optional description.
3. Click Create

HOL-2140-01-NET Page 88
HOL-2140-01-NET

Configure the profile to add the restriction of device list. This profile is intended for
restricting hardware edges. Only virtual edges are to be part of this profile "Branch
Virtual Profile"

Configure Profile

Now we will configure the profile to add the restriction of device list. This profile is
intended for restricting hardware edges. Only virtual edges are to be part of this profile
"Branch Virtual Profile".

1. Note the current devices that are enabled.

2. Click the Devices tab.

Device List

1. Scroll down to the device tab to look out for device list.

HOL-2140-01-NET Page 89
HOL-2140-01-NET

2. Uncheck all the hardware appliances for edge models from the device tab. Leave
on Virtual Edge checked

Save the Changes

1. Scroll up to the top of the page and click the Save Changes button.


Profile "Branch Virtual Profile" is now restricted to virtual edge only

New Edge

HOL-2140-01-NET Page 90
HOL-2140-01-NET

Next step is to verify the profile restriction by assigning the edge to the profile. We will
create a new site with model as Hardware from the Orchestrator.

1. Click Edges
2. Click the New Edge... button

1. Provision the new edge with these details:

• Name: Test-VCE-01
• Model: Edge 6X0 (selected from drop down menu)
• Profile: Branch Virtual Profile

2. Then click on "Create"

This action should fail.

HOL-2140-01-NET Page 91
HOL-2140-01-NET

What happened Here?

Expected result: There will be an error as "Please fix the problems below and try
again"

Click on the "!" icon; beside the Model field; the error will be "The selected profile
does not contain a configuration for Edge 6X0"

If we think back; the profile "New Segment Profile" was indeed for Edge 510 alone. Thus,
the error is valid here.

This explains how the enduser can restrict the profile usage based on the edge model
type.

Task 3: Assigning Edges to Profile

Objective: End user will learn on how to assign Edge/edges to profile for configuration
push.

As part of this lab exercise, end user will assign Chicago Branch Site CHI-VCE-01 to
Branch Internet Profile only.

Summary Steps:

HOL-2140-01-NET Page 92
HOL-2140-01-NET

1. Configure > Edges

2. Action and assign the edge to appropriate profile

Select CHI-VCE-01

Click on the checkbox next to CHI-VCE-01

Assign Profile

1. Click the Action button

2. Select Assign Profile

Select Profile

HOL-2140-01-NET Page 93
HOL-2140-01-NET

1. From the drop down menu , select the "Branch Internet Only Profile"
2. Click on Apply

1. Click Confirm.

Confirm

CHI-VCE-01 Branch site is now part of Branch Internet only profile.

HOL-2140-01-NET Page 94
HOL-2140-01-NET

Conclusion
Profiles provide a composite of the configurations created in Networks and
Network Services. It also adds configuration for Business Policy and Firewall rules.

End-user has learned the concept of Profiles, Profile Creation, Configuring Profiles
and assigning devices to profile.

Remember, Profile is more like a configuration template.

You've finished Module 4!

Congratulations on completing Module 4!

If you are looking for additional information on VMware SD-WAN by VeloCloud, try one of
these:

• Click on this link

• Or go to https://tinyurl.com/yd7q2xs7

Proceed to any module below which interests you most.

• Module 5 - Business Policy Framework (15 minutes)

How to End Lab

To end your lab click on the END button.

HOL-2140-01-NET Page 95
HOL-2140-01-NET

Module 5 - Business
Policy Framework (15
Minutes)

HOL-2140-01-NET Page 96
HOL-2140-01-NET

Introduction
VMware SD-WAN provides an enhanced Quality of Service feature called Business
Policy. This feature is defined using the Business Policy tab in a Profile or at the
Edge override level.

Based on the business policy configuration, VMware SD-WAN examines the traffic
being used, identifies the Application behavior, the business service objective
required for a given app (High, Med, or Low), and the Edge WAN Link conditions.
Based on this, the Business Policy optimizes Application behavior driving queuing,
bandwidth utilization, link steering, and the mitigation of network errors.

In this lab, end user will perform the following tasks:

1. Identifying DIA traffic (Direct internet traffic)

2. Identifying the Cloud GW traffic


This is an optional lab module (Module 5) . This is more of a conceptual lab.
You can skip this lab and execute the next lab module 6

For understanding the concept, do not skip this lab.

Note If you are logged in using a user ID that has Customer Support privileges, you will
only be able to view SD-WAN Orchestrator objects. You will not be able to create new
objects or configure/update existing ones.


HOL lab environment has limited access to public internet. This lab will only
walk you through the steps to configure Business policy rules for Direct internet
traffic and through Gateway.

User will not be executing any lab task for this module.

HOL-2140-01-NET Page 97
HOL-2140-01-NET

Business Policy Framework

In this module you will perform the following tasks:

1. Identifying DIA traffic (Direct internet access traffic)

2. Identifying the Cloud GW traffic


As the lab has limited or no Outside access, traffic to outside the lab pod/setup
might not work. If you are not able to browse the internet, then use this lab
task to understand the workflow of creating/configuring different business
policies.

Task 1: How to Configure and Identity Direct Internet

Traffic

You create a new business rule by configuring traffic to go directly to the underlay
network.

Provisioning the Site starts with logging on to the VMware SD-WAN Orchestrator as an
Enterprise administrator and creating the site.

1. Double click on the Chrome browser to access the Orchestrator (VCO)

1. Click Save Changes.

HOL-2140-01-NET Page 98
HOL-2140-01-NET

Sign In

1. Ensure the credentials are: Username: "[email protected]", Password

should be auto-populated; if for any reason it is not, use "VMware1!"
2. Click "Sign In" to continue.

HOL-2140-01-NET Page 99
HOL-2140-01-NET

Configure Profiles

1. Click the Configure

2. Click Profiles
3. Then Branch Internet Only Profile

Business Policy

1. Click the Business Policy tab

HOL-2140-01-NET Page 100

HOL-2140-01-NET

2. Click New Rule

Configure Rule

1. Enter the following details in the Match section:

• Rule Name: Rule-1-yahoo

• Application: Define --> Web --> yahoo

2. In the Action section, set the Network Service to Direct

HOL-2140-01-NET Page 101

HOL-2140-01-NET

Create Rule

1. Scroll to the bottom and click OK

Save Changes

HOL-2140-01-NET Page 102

HOL-2140-01-NET

Verify Business Policy

1. In the Rule column of the Business Policy section, verify that you can see the
Rule-1-yahoo Rule business policy.

Minimize Chrome

1. Click to minimize Chrome.

HOL-2140-01-NET Page 103

HOL-2140-01-NET

Open CHI-CLIENT

1. From the desktop, open chi-client.rdp

Open Chrome

1. From the chi-client desktop, open Chrome

HOL-2140-01-NET Page 104

HOL-2140-01-NET

Go to yahoo.com

1. In the address bar, type yahoo.com and press Enter

Minimize RDP

1. Click to minimize the RDP session

HOL-2140-01-NET Page 105

HOL-2140-01-NET

Remote Diagnostics

Back in VCO:

1. Click the Test & Troubleshooting tab

2. Click Remote Diagnostics
3. Click CHI-VCE-01

List Active Flows

HOL-2140-01-NET Page 106

HOL-2140-01-NET

Note that the screenshot is showing 192.168.6.20 as source IP. Source IP will be
dependent on your network. In this lab exercise, source IP for Chicago LAN side
would be 10.24.1.x/32

1. Scroll down to the List Active Flows section and click Run.
2. You should see the Business Policy of Rule-1-yahoo listed.

Task 2: How to Configure and Identify Cloud GW Traffic

You create a new business rule by configuring traffic to go directly to the Cloud GW
Traffic

Configure Profiles

In the navigation pane, click Configure > Profiles > Branch Internet Only Profile

Business Policy

Click the Business Policy Tab

HOL-2140-01-NET Page 107

HOL-2140-01-NET

New Rule

In the Business Policy section of the Configure Segments pane, click New Rule.

New Rule

1. Configure the Configure Rule window, Enter Rule-2-skype in the Rule Name text
box.
2. Match -- > Source Any, Destination Any
3. In the Match section, next to Application, click Define.
4. In the Application search box, type in skype , from the Browse List, select skype
5. Action -- > Multi-Path.

HOL-2140-01-NET Page 108

HOL-2140-01-NET

Create Rule

Click OK

Save Changes

In the Rule column of the Business Policy section, verify that you can see the
Rule-2-skype business policy.

Click Save Changes

Give it at least 30 seconds for the rule to get applied (heartbeat interval from
Orchestrator (VCO) to push new configuration changes to edge devices.

Validation

Start the traffic to skype.com from Chicago Client machine (RDP Session) or from LAX
client machine. Both the client machines are part of Branch Internet site Profile

HOL-2140-01-NET Page 109

HOL-2140-01-NET

Open the browser from Chicago Client machine, browse skype.com, try to download the
skype software for linux. This will generate some traffic for skype.

From the VCO > Test and Troubleshoot> Remote Diagnostics > Click on CHI-
VCE-01

List Active Flow

Browse down the list and look for "List Active Flow"

Click on Run

Output shows that the skype traffic is on the expected path. Skype traffic from the
branch site is getting redirected to Cloud GW.

HOL-2140-01-NET Page 110

HOL-2140-01-NET

Conclusion
In this module we have successfully configured and understood the
business Policy Framework.

The VeloCloud enables the simple implementation of business-based policies for

application delivery, and simplifying application traffic management..

Note:If you are logged in using a user ID that has Customer Support privileges,
you will only be able to view VeloCloud Orchestrator objects. You will not be able
to create new objects or configure/update existing ones.

You've finished Module 5!

Congratulations on completing Module 5!

If you are looking for additional information on VMware SD-WAN by VeloCloud, try one of
these:

• Click on this link

• Or go to https://tinyurl.com/yd7q2xs7

Proceed to any module below which interests you most.

• Module 6 - Cloud VPN (45 minutes) (Advanced)

How to End Lab

To end your lab click on the END button.

HOL-2140-01-NET Page 111

HOL-2140-01-NET

Module 6 - Cloud VPN (45

Minutes)

HOL-2140-01-NET Page 112

HOL-2140-01-NET

Introduction
Cloud VPN

Cloud VPN provides the ability to configure VMware SD-WAN overlay network
across all the sites. One-click site-to-site Cloud VPN is a VPN-compliant IPSec VPN
to connect VMware SD-WAN and non-VMware SD-WAN sites while delivering real-
time status and health of VPN sites. Establish dynamic edge-to-edge
communication for all types of branches based on service level objectives and
application performance. Deliver secure connectivity across all branches with PKI
scalable key management. New branches join the VPN network automatically with
access to all resources in other branches, enterprise datacenters, and 3rd party
datacenters, like Amazon AWS.

Traditionally, to configure IPsec overlays, one would require multiple lines of CLI
code and the CLIs can be manual error prone. Any mismatch with the keys can
lead to the IPsec tunnel never coming up.

Cloud VPN essentially has automated the entire process of overlay tunnel
configuration providing a easy, non CLI approach.


Intel QuickAssist Technology (Intel QAT) provides a software-enabled
foundation for security, authentication, and compression, increasing overall
performance and efficiency. VMware SD-WAN by VeloCloud appliances utilizes
the QAT crypto offloads to accelerate the IPsec performance.

This Module contains the following lessons:

• - In this lesson we go through Cloud VPN Configuration to connect Branch

and Hub locations together using an automated approach to IPSec VPN.
• ]- In this lesson we will verify that Cloud VPN is working and client devices
have PING connectivity.


If you would like to proceed with all aspects of this module, please ensure that
your Chicago Branch Edge is activated and configured with LAN-side interfaces,
as you would have completed in Module 2. Otherwise, you will not be able to
verify Overlay Connectivity to and from the Chicago Branch. However, this will
not prevent you from completing Module 6, if Module 2 wasn't done.

The next version of the Lab will have this capability automated, so your
Chicago Branch Edge will be activate if you decide to independently take this
module.

HOL-2140-01-NET Page 113

HOL-2140-01-NET

Routing Concepts:

Routing Concept:

With VMware SD-WAN, the VeloCloud Gateway (VCG) is responsible for distributing the
routes to all the VeloCloud Edges (VCE).

The routes learned from other VCEs are referred to as the Overlay routes.

The Underlay routes refer to the routes learned from routing protocols such
as OSPF or BGP, and locally configured static routes where traffic destined to the
Underlay are simply routed or switched without any encapsulation.

VMware SD-WAN solution supports mutual redistribution between the Underlay to

Overlay routes. Note that within the VeloCloud solution, route redistribution in either
direction can be selectively disabled.

Objective: Understand, Configure, Verify and Troubleshoot different Cloud VPN

topologies.

VPN topologies configured in this lab are Hub-Spoke topology, Branch to Branch
using Hub and/or VeloCloud Gateway

At the end of the lab exercise, end user will also validate some of the topology by

HOL-2140-01-NET Page 114

HOL-2140-01-NET

inserting link failures. This is very helpful in understanding the traffic flow in case of
failures and this is also covered in the PoC test cases.

Lab Module overview

In this lab, end user will perform the following tasks:

1. Understand OFC and Cloud VPN

2. Change Edge device role to “Hub” role
3. Hub/Spoke Topology for Branch Internet Site only
4. Hub/Spoke Topology for Branch Hybrid Site only
5. Branch to Branch VPN using Gateway
6. Verification 2: How to Verify the Path for B2B VPN
7. Branch to Branch VPN using Hub


This is NOT an optional Lab module. This lab module has dependencies on
upcoming labs. Do not skip this lab module.

HOL-2140-01-NET Page 115

HOL-2140-01-NET

Cloud VPN Configuration


In this module, we will be working on understanding, configuring and validating
cloud VPN topologies like Hub-Spoke, Branch to Branch , OFC (overlay flow
control table).

Lab Resources

• Use Branch Site profiles to enable Cloud VPN

• Internet only site will be used for verification (Chicago Branch site)
• Hybrid site will be used for verification


Cloud VPN Brief: One-click site-to-site cloud VPN is a VPNC-compliant IPsec
VPN to connect VMware SD-WAN and non-VMware SD-WAN sites while
delivering real-time status and health of VPN sites. Establish dynamic edge-to-
edge communication for all types of branches based on service level objectives
and application performance. Deliver secure connectivity across all branches
with PKI scalable key management. New branches join the VPN network
automatically with access to all resources in other branches, enterprise
datacenters, and 3rd party datacenters, like Amazon AWS.

Summary of Tasks

• Task 1: Understand OFC and Cloud VPN

• Task 2: Change Edge device role to “Hub” role
• Task 3: Hub/Spoke Topology for Branch Internet Site only
• Task 4: Hub/Spoke Topology for Branch Hybrid Site only
• Task 5: Branch to Branch VPN using Gateway
• Task 6: Verification: How to Verify the Path for B2B VPN
• Task 7: Branch to Branch VPN using Hub

Task 1: Understanding OFC and Cloud VPN

Objective: Understand the OFC and Cloud VPN relationship.

End user will be able to understand how the OFC table is build and how the updates are
happening in the OFC tables.

OFC (Overlay Flow Control Table) is the SD-WAN routing table giving a global view
for all type of routes (Directly connected, Static, OSPF, BGP).

HOL-2140-01-NET Page 116

HOL-2140-01-NET

The options to configure Underlay to Overlay redistribution is available on

the Overlay Flow Control (OFC) page which applies to all Edges under the
Enterprise.

The options to configure Overlay to underlay redistribution is available on

the Configure>Edges>devices OR Configure>Profiles.

Summary Steps:

1. Check the OFC table without Cloud VPN enabled. (Before enabling Cloud VPN)
2. Enable Cloud VPN and check for updates on the OFC table. (After enabling Cloud
VPN)

Detailed Steps

Open the web browser, and access the VCO. Proceed to log into the Orchestrator using
the following credentials:

• username: [email protected]
• password: VMware1!
• Click Sign In

HOL-2140-01-NET Page 117

HOL-2140-01-NET

Expected result with cloud VPN enabled: OFC table will show the Connected routes.
(LAN Side Routes of edge).


The options to configure Overlay to underlay redistribution is available on
the Configure>Edges>devices OR Configure>Profiles.

Before enabling Cloud VPN, Check the Routing Table from VCO,

Go To VCO > Configure > Overlay Flow Control

OFC=Overlay Flow Control

Enable Cloud VPN from all the profiles. (Branch Internet Site, Branch Hybrid Site and DC
Site Profile.)

After enabling Cloud VPN on DC and Branch Profiles, Check the OFC Table. OFC table
showing the Connected routes. For instance, Check the Chicago Branch Site (CHI-
VCE-01) and LAX-VCE-01) connected routes will show up in OFC table.

Verification 1: For Chicago Branch Site

Before Enabling Cloud VPN on Branch Internet only profile, OFC doesn't show Connected
route for CHI-VCE-01 10.24.1.0/24.

1. Click on Configure
2. OFC (Overlay Flow Control table)
3. Click on Search tab
4. Subnet contains address = 10.24.1.0
5. Click on search to start the search in the routing table

HOL-2140-01-NET Page 118

HOL-2140-01-NET

Expected result: search will return none.

This is expected as cloud VPN is disabled from Profile and edges part of "Branch Internet
Only Profile"

Enable Cloud VPN

Let us enable Cloud VPN from Branch Internet Only Profile and then check OFC table.

1. Select Configure
2. Then Profiles
3. Click on Branch Internet Only Profile

HOL-2140-01-NET Page 119

HOL-2140-01-NET

Enable Cloud VPN - Continued

1. Click on Device tab

2. Toggle - Cloud VPN: On

3. Click to Save Changes

After 30 seconds approximately, Orchestrator will push the new configuration to all the
edges part of the Branch internet only profile.

HOL-2140-01-NET Page 120

HOL-2140-01-NET

Check the OFC table after Cloud VPN is enabled for

connected subnet 10.24.1.0/24

CHI-VCE-01 Edge device LAN side connected route is now injected into the Overlay Flow
Control (OFC) routing table.


Before moving to next lab task, repeat the process above for:

"Cloud VPN" for Branch Hybrid Profile and DC Profile.

Enable the Cloud VPN radio button from the profiles.

HOL-2140-01-NET Page 121

HOL-2140-01-NET

Enabling Cloud VPN for Branch Hybrid Profile and save

changes to profile

Check the Cloud VPN Enabled from Branch Hybrid Profile and save changes

Repeat the previous step for the Cloud VPN Enabled from DC Profile and save
changes.


HOL-2140-01-NET Page 122
HOL-2140-01-NET

All the 3 profiles Branch Internet Profile, Branch Hybrid Profile and DC Profile
will have Cloud VPN enabled.

Task 2: Change Edge device role to “Hub” role

Objective: Change the edge role to Hub role

NVA-DC1-VCE01 role should be changed from Edge to Hub

Check the Before/After enabling Hub/Spoke VPN In this exercise, Edge device role
is changed to Hub role.


A Hub is an explicit role that is assigned to a VMware SD-WAN Edge. Hubs are
typically located in the data center and they terminate multiple overlay
tunnels. In the profile for a hub VMware SD-WAN Edge, branch-to-branch VPN is
typically not enabled as servers in each data center will leverage the data
center interconnect (DCI) for communication rather than relying on VMware SD-
WAN Edges in each DC to build tunnels to each other.


Before enabling Hub, List path for Branch site like CHI-VCE-01 will show path to
Gateway only. After the HUB is enabled, List path will show Gateway and Hub
device.


After changing the role to Hub for DC edge device, Branch edge device will
trigger an SD-WAN overlay tunnel to DC hub device.

Now, Lets start changing the role.

Summary Steps:

1. Change the Role for the DC Edge device to Hub from Profile

Let's change the role for the DC edge device

HOL-2140-01-NET Page 123

HOL-2140-01-NET

Change the role for the DC edge device

1. Click on Configure
2. Then Profiles
3. Click on Branch Internet Only Profile

Enable Branch to Hub

1. Click on Device tab

2. Enable the checkbox for Branch to Hub

Next is to change the role to hub for DC edge device

HOL-2140-01-NET Page 124

HOL-2140-01-NET

Change Role to Hub for DC Edge device

1. Click on Select Hub

Change Role to Hub for DC Edge device - Cont'

1. Click the checkbox for DC Edge device NVA-DC1-VCE01

2. Click on the right arrow to change the role
3. Click on OK and then Save Changes (not shown in Screenshot)

HOL-2140-01-NET Page 125

HOL-2140-01-NET

Confirm Role change


Role for NVA-DC1-VCE01 is changed to Hub.

In next lab task, end user will enable Hub/spoke topology. Hub being the NVA-
DC1-VCE01 and branch sites will be CHI-VCE-01 and so on.

Task 3: Verification 1: Hub-Spoke Topology for Internet

Site only Profile


A VMware SD-WAN hub-and-spoke topology describes one or more branch
VMware SD-WAN Edges aka spokes, builds one or more permanent tunnels to a
centrally located edge in head office or the data center known as the hub.

For this lab task, end user will use Spokes as CHI-VCE-01 and LAX-VCE-01 and Hub as
NVA-DC1-VCE01.

Before enabling Hub-Spoke Topology, End user will notice GW as only path.

Use List Path from Test and Troubleshoot for Chicago or LAX site.

Expected Results:

Before enabling Hub-Spoke topology -

HOL-2140-01-NET Page 126

HOL-2140-01-NET

List path from Branch site will only show path to VCG. There will be not path to Hub.
You can check this from Tools and troubleshoot > Chicago Site > List path drop down
will only show VCG.

After Enabling Hub from Profile -

List path will show both GW and Hub. Spokes will have access to DC Hub resources.


Use the Test and Troubleshoot from VCO to verify the Hub Spoke topology on
both Internet only sites. (Chicago and LAX)


Optional Verification can also be done by ping from Chicago Client machine to
DC server machine. This is optional step and can be ignored.

Ping from Chicago Client machine to DC Server. (Chicago Client

subnet=10.24.1.0/24) to DC Site (Server Subnet= 10.101.1.0/24) will fail.

Before enabling Hub, Ping will fail from Chicago Client to DC server subnet.
After enabling DC as a Hub, Static SD-WAN tunnel will get establish between
Chicago Edge and DC Hub device. Tunnel will be used to send traffic between
Chicago Branch Site to DC hub and Ping will work.

Verify Topology

1. Click on Test and Troubleshoot

2. Then Remote diagnostics
3. Click on CHI-VCE-01 and wait couple of seconds to access tools to run the List
Path cli

HOL-2140-01-NET Page 127

HOL-2140-01-NET

Wait 30 seconds for Orchestrator to push the new configuration to edges.

Scroll down to look for List Path


Click run and will show more details on the list path including source and
Destination IP address. Source IP is the CHI-VCE-01 WAN IP address and
Destination IP is the NVA-DC1-VCE-01 (Hub).


Learning from the lab task

◦ Cloud VPN Feature

◦ Enabling Hub
◦ How to check for the overlay in Hub/Spoke Topology

HOL-2140-01-NET Page 128

HOL-2140-01-NET

Next move on to enabling Hub-Spoke topology for Edge devices in branch

sites with hybrid connections. These edge devices are part of Branch
Hybrid site profile.

Task 4: Hub/Spoke Topology for Hybrid Branch Site

Objective: Understand on how the User defined overlay on Private link coming up with
Hub/Spoke Topology.

Now that we have a Hub/Spoke Cloud VPN enabled for Branch Internet Site Profile,
Chicago and LAX branch site has overlay (static) tunnels to the Hub site. Let’s us check
on for Hybrid Branch site too.


This lab exercise is a good candidate for PoC test case and also helps to
understand the workflow for troubleshooting in the field.

For this lab task, Branch Hybrid Site Profile is used.

Summary Steps:

1. Before enabling Hub / Spoke, there is no path from Branch edges to DC Hub.
2. Enable Hub on Branch Hybrid Profile.
3. Hub/Spoke topology gets triggered. All Branches part of Branch Hybrid profile will
form a static SD-WAN overlay tunnel from edges to Hub device.
4. To Verify, Use Test and Troubleshoot. List path tool to check the VPN tunnel.

List Paths

List path from Dallas Site shows tunnel (path) to the DC Hub.


Note: Give at least 5 minutes in this lab environment for 2 links to populate.

HOL-2140-01-NET Page 129

HOL-2140-01-NET

Monitor Events

1. Click on Monitor
2. Then Events
3. Check for the MPLS (Private Link) interface, in this case GE4 is UP as the path
from Branch to Hub is up.

For branch sites with MPLS Private link, user defined overlay tunnel gets established
from Branch to DC over private link. In our case, Branch sites part of Branch Hybrid
profiles (SFO, NYC and Dallas) along with DC hub will show 2 links.


Before you move on to the next lab task, make sure for all the Branch Sites
(NYC, SFO, Dallas, Chicago, DC Hub) Status under VCO>Monitor>edges > List
view is 2.


As this is a lab environment, not all hybrid site might show 2 links, if that is the
case, ignore and move to the next lab task. This is the limitation with Lab
configuration. In real world, both links should show up. Try to understand the
concept.

Check Links


HOL-2140-01-NET Page 130
HOL-2140-01-NET

In the screenshot, not all branches from Branch Hybrid profile shows 2. This is
expected in this lab environment.

Good news is that, DAL-VCE-01, NYC-VCE-01 and DC Site NVA-DC1-VCE01

shows 2 links, this means user defined overlay is up and running on private
link.

You are now ready to move to the next lab task.

Task 5: Configure Branch to Branch VPN using Gateway

Objective: Cloud VPN for Branch to Branch using Gateway

Now that we have a Hub/Spoke Cloud VPN enabled, let’s explore the B2B using Gateway.

Topology

For this lab task, End user will use the Branch Internet site and Branch Hybrid Site
Profile.

Summary Steps:

1. From the VCO > Cloud VPN Enable, B2B using GW. This is the default option
for B2B
2. Verify using List Path (Test and Troubleshoot)

Detailed Steps:

1. VCO> Configure>profile>Branch Internet Only Profile > Devices then, scroll down
to Cloud VPN section
2. Enable B2B using GW and disable Dynamic B2B

HOL-2140-01-NET Page 131

HOL-2140-01-NET

Detailed Steps

1. Click on Configure
2. Then Profiles
3. And then select Branch Internet Only Profile

1. Click the Device tab,

2. Scroll down to expand Cloud VPN section

HOL-2140-01-NET Page 132

HOL-2140-01-NET

3. Click to Enable 'Branch to Branch VPN'

4. Save the changes.

Check the Event


Make sure Dynamic Branch to Branch is disabled (unchecked).

Check the Event, Event log can be checked from

1. Monitor
2. Events

Branch to Branch traffic will now get hair-pinned to Gateway.


Enable B2B using GW for Branch Hybrid profile also.

HOL-2140-01-NET Page 133

HOL-2140-01-NET

Task 6: Verification : How to Verify the path for B2B VPN

for Branch Internet only profile

Objective: How to verify that B2B (Branch to Branch) traffic is going through the GW
and not through the hub site.


This lab exercise is a good candidate for PoC test

Topology

For this lab task, End user will use the Branch Hybrid Site Profile.

Detailed Steps:

1. Enable B2B using GW for both the branch profile. “Branch Internet Site Profile”
and “Branch Hybrid Site Profile”
2. Do the VPN Test from VCO > Test and Troubleshoot> VPN test should pass
between Chicago and LAX client machine


Remember to enable B2B using GW for both Branch profile. Disable Dynamic
B2B.

Check event logs for B2B (branch to Branch) notifications

1. Click on Monitor
2. Then Events

HOL-2140-01-NET Page 134

HOL-2140-01-NET

Go to Test and Troubleshoot

1. Go to Test and Troubleshoot > Remote diagnostics

2. CHI-VCE-01 > VPN Test (Scroll down to VPN Test)

Expected result: VPN Test should show other branch sites. Click on VPN test "run" to
execute the command.

VPN Test

B2B VPN using GW shows that for CHI-VCE-01 can reach other branches like LAX-
VCE-01, DAL-VCE-01.

1. Lab Task is completed and verified.


(Optional Verification)

You can also do a traceroute from Chicago client to LAX client. Traceroute will
show next hop as GW.

HOL-2140-01-NET Page 135

HOL-2140-01-NET

(Optional) Configure B2B VPN using Hub

Objective: Cloud VPN for Branch to Branch using Hub

Now that we have a Hub/Spoke Cloud VPN enabled, let’s explore the B2B using Hub.

Topology

1. For this lab task, End user will use the Branch Internet site and Branch Hybrid Site
Profile.

Need image of Branch Internet and Branch Hybrid sites topology

Summary Steps:

1. From the VCO > Cloud VPN Enable, B2B using HUB. This needs to be done on
Branch Hybrid site profile
2. Verify using List path
3. Optional Verification using traceroute from Chicago. Verify the next hop from the
branch client machine to DC server subnet. Next hop should be the DC side
address.

Detailed Steps

From the VCO Connection Page, Select:

Configure > Profile > Branch Internet Site Profile > Select Device tab, Enable
B2B using Hub

Click to Save Changes


Make sure Dynamic Branch to Branch is disabled (unchecked).

Check the Monitor > Events log for the updates.

HOL-2140-01-NET Page 136

HOL-2140-01-NET

Also, enable B2B using hub for Profile = Branch Internet site Profile.


Optional Verification step: Do a Traceroute from the LAX client machine to
Chicago Client machine. Traceroute will show next hop as GW.

HOL-2140-01-NET Page 137

HOL-2140-01-NET

Conclusion
In this section, we successfully enabled Cloud VPN to and specified a
HUB in our Branch Profiles. This allowed us to have our Internet and
Hybrid sites form VPN tunnels as required. We additionally leverage the
VCO monitoring tools to verify correct operation.

You've finished Module 6!

Congratulations on completing Module 6

If you are looking for additional information on VMware SD-WAN by VeloCloud, try one of
these:

• Click on this link

• Or go to https://tinyurl.com/yd7q2xs7

Proceed to any module below which interests you most.

• Module 7 - Influencing Application Behaviour (DMPO) (30 minutes)

How to End Lab

To end your lab click on the END button.

HOL-2140-01-NET Page 138

HOL-2140-01-NET

Module 7 - Influencing
Application Behavior
(DMPO) (30 Minutes)

HOL-2140-01-NET Page 139

HOL-2140-01-NET

Introduction
Application Performance (DMPO: Dynamic Multi Path Optimization)

VMware DMPO provides automatic link monitoring, auto-detection of provider and

autoconfiguration of link characteristics, routing and quality of service (QoS)
settings. VMware DMPO delivers subsecond blackout and brownout protection to
improve application availability. It remediates link degradation through FEC,
activating jitter buffering and synthetic packet production.

This Module contains the following lessons:

• Application Fingerprinting (DAR=Deep Application Recognition)

• Showcase Link steering option as Preferred for high priority traffic using
DMPO feature


This is a MUST lab task. Also make sure that you have executed the Cloud VPN
Module (Lab Module 6)

HOL-2140-01-NET Page 140

HOL-2140-01-NET

Application Performance (DMPO)

DMPO (Dynamic Multi-Path Optimization) End user will start with the foundation on how
to use the business policy framework. Various WAN conditions will be tested out by
simulating blackout/brownout conditions. End user will also understand the concept of
Custom application fingerprinting.

This lab exercise is a must for any enterprise size PoC and will help the end user execute
the PoC with ease.

Task 1: Application finger printing (DAR=Deep Application Recognition engine)

Task 2: Showcase Link steering option as Preferred for UDP traffic using

Task 1: Application Fingerprinting

Goal of this test case is to recognize the application. In this lab task, end user will
initiate traffic on port 5001. As per the Deep Application Recognition engine (DAR/DPI),
traffic on this port is categorized as IPERF traffic. Steps:

Lab Resources: (Requirement)

1. For this lab task, use the DC1 server as the IPERF server and Chicago Client
machine as the IPERF client. Also, make sure end user can ping from Chicago
Client machine to DC1 server.
2. Also, make sure that the Branch Internet Only profile has Cloud VPN enabled with
Hub.


From Chicago client CLI, ping 10.101.1.11. Ping should work for this test case to
get executed.

RDP to Chicago Client machine from the windows desktop


If you notice, Branch to Branch VPN is enabled for Branch Internet Profile, make
sure Dynamic Branch to Branch is disabled.

HOL-2140-01-NET Page 141

HOL-2140-01-NET

Ping Test

For ping, use :

Test and Troubleshoot > Remote Diagnostics > Chicago Edge > Ping

Optionally, you could also do RDP to Chicago Client machine and do a ping from CLI.

1. For Destination - 10.101.1.11 is the server machine on the DC site.

2. Click Run to execute the Ping test

Ping to be initiated from Chicago (CHI-VCE-01).

Expected result: Reachable

Optional Ping test


Optional method is to ping from client machine cli.

Access Chicago Client machine by clicking on Chi-client-rdp on the desktop.

HOL-2140-01-NET Page 142

HOL-2140-01-NET

Open Command prompt

Click on terminal emulator

Make sure that reachability is there between Chicago and DC server.

From the Chicago Client machine start the client connection on tcp port 5001. This will
start the traffic on port 5001.

Let us start the actual test by running iperf server and client processes.

DC1 Server will be running IPERF Server (10.101.1.11)

Chicago Client will be running IPERF Client process (10.24.1.11)

HOL-2140-01-NET Page 143

HOL-2140-01-NET

Open Putty (main Console desktop)

Minimize the RDP session, then from the lab desktop machine access the putty
application and look for DC1-server connection, Click on DC1 server.

To access DC1 server, launch putty session from the desktop.

1. From the putty session, select the dc1-server-01-corp.local

2. Click on Open

Enter user credentials as follows:

user root

HOL-2140-01-NET Page 144

HOL-2140-01-NET

password: VMware1!


Note: As the user is logging for the 1st time to linux machine, you might have
to change the password.

During our next lab development phase, we will remove this change password.

Run Scripts from Putty

From the linux prompt, run the IPERF script "start-server.sh" to start IPERF Server
process on DC1 Server.

Path to run the script for IPERF executable is /root.

1. cd /root
2. ./start-server.sh


This script will run server processes on port 5001 and 8080. For this lab task,
we need port 5001 on DC1 server machine.

Now, Let us initiate the IPERF Client process from Chicago client machine.

Chicago Client machine can be accessed using the RDP shortcut on the desktop.

HOL-2140-01-NET Page 145

HOL-2140-01-NET

Return to RDP session

Access the Chicago RDP Session and access the CLI ,

Execute the CLI

Make sure to go to path c:\iperf\

iperf3 -c 10.101.1.11 -p 5001 -t 5000

-c is the client

-p is the port (tcp)

-t is the timer


For some reason, if you dont get a response, this could mean reachability issue
between Chicago and DC server or on DC server IPERF is not running on port
5001.

If this is the case, access DC server cli instead of Chicago and execute:

iperf3 -s -p 5001


Chicago Branch site is the client, DC server machine is the server listening on
port 5001.

HOL-2140-01-NET Page 146

HOL-2140-01-NET

Check Orchestrator

Chicago Edge device running DPI/DAR engine should recognize 5001 port as iperf
application port.

Let us check this from

1. Test and Troubleshoot > Remote diagnostics

2. CHI-VCE-01 > List active flows


Deep Application recognition engine on VMware SD-WAN Edge device is
recognizing the Traffic on TCP port 5001 as IPERF traffic.

Task 2: Create a Business Policy with the Preferred Option

Objective: Application performance with blackout condition and advance steering

option as Preferred.

You configure the business policy using the preferred option and then validate the
expected behavior. The Verizon link is selected as the preferred WAN link for the
IPERF UDP traffic.

Pre-Requisite:

HOL-2140-01-NET Page 147

HOL-2140-01-NET

• For this lab task, end user will use the CHI-VCE-01 and DC server.
• DC server 10.101.1.11 will run the iperf server listening on 8080 UDP port
• Chicago client will run the iperf client
• Business policy will be configured on Chicago Branch site with preferred option as
WAN Link1 198.18.14.11

Expected result: This means that traffic for port 8080 will always goes through the
preferred link (link 1 198.18.14.11).

Summary Steps:

1. Configure Business policy on branch site with preferred option

2. Initiate traffic from Branch to DC server on UDP port 8080

3. Validate that the traffic always goes through preferred link.

1. Configure Business policy on branch site with preferred

option

1. Click on Configure
2. Then Edges
3. Click on the CHI-VCE-01

Business Policy Tab

Click on Business Policy Tab

HOL-2140-01-NET Page 148

HOL-2140-01-NET

Create New Rule

Click on New Rule

Configure New Rule

1. Configure New Rule Name as: "IPERF UDP-8080"

2. Source: Any
3. Destination: Define - > Any
4. Protocol: UDP
5. Destination Port: 8080

HOL-2140-01-NET Page 149

HOL-2140-01-NET

6. Network Services: Multi-Path

Configure New Rule - Continued

1. Link Steering: WAN Link

2. Select Preferred for WAN Link: 198.18.14.11
3. Click OK (not shown)

Save Changes

Save Changes to the Business policy.

Now, initiate the traffic from client to server, client is chicago and server is DC server
on port 8080.

2. Initiate traffic from Branch to DC server on UDP port

8080


HOL-2140-01-NET Page 150
HOL-2140-01-NET

We started the IPERF server process on DC1 server machine in the last lab
task.

From chicago RDP session, initiate the IPERF3 from CLI

3. Validate that the traffic always goes through preferred

link.

For live connection status, go to

1. Monitor --> Edges --> Chicago

2. Transport tab on VCO

Enable Live Monitoring

Enable Live monitoring and also enable checkbox "Show TCP/UDP details

HOL-2140-01-NET Page 151

HOL-2140-01-NET

View Monitoring

As preferred link is 198.18.14.11, All UDP traffic on port 8080 will use preferred WAN
link.


There are other link steering options like mandatory and available. With
mandatory option, traffic will always though mandatory link and during the
blackout condition, traffic will not get steered to another link

HOL-2140-01-NET Page 152

HOL-2140-01-NET

Conclusion
Congratulations on completing Module 7!

If you are looking for additional information on VMware SD-WAN by VeloCloud, try one of
these:

• Click on this link

• Or go to https://tinyurl.com/yd7q2xs7

Proceed to any module below which interests you most.

• Module 8 - Secure Web Gateway (15 mins)

How to End Lab

To end your lab click on the END button.

HOL-2140-01-NET Page 153

HOL-2140-01-NET

Module 8 - Secure Web

Gateway (15 Minutes)

HOL-2140-01-NET Page 154

HOL-2140-01-NET

Introduction
Objective: Configure Cloud security services using Zscaler (SWG)

Cloud Security Service is a cloud-hosted security offering (such as firewalls, URL

filtering, etc.) that protects an Enterprise’s branch and/or data center. The
following sections describe how to define and configure a cloud security service
instance and how to establish a secure tunnel directly from the Edge to the cloud
security service. Currently, the connectivity from a branch Edge to a cloud service
or a Non-VMware SD-WAN Site is established through the SD-WAN Gateway. In this
model, the SD-WAN Gateway aggregates traffic from multiple branch Edges and
securely forwards the traffic to the Non-VMware SD-WAN Site.


You can also configure the branch Edge to establish a tunnel direct to the 3rd
party Cloud security Services (NVS=Non veloCloud Site).

In this case, this is also known as Direct IPsec Tunnel from Branch Edge to
ZScaler Gateway (Zen Gateway)

This Module contains the following lessons:

• Task 1: Secure Web Gateway (SWG) Configuration

• Task 2: Secure Web Gateway: Redirect User Traffic from Branch site to
Secure Web Gateway using Business Policy Rules
• Task 3: Validation (optional)

Use Case:

For this lab exercise, Enterprise wants to redirect all the Internet traffic to cloud security
provider (in this case Zscaler) for inspection and based on the enterprise policy block
sports websites and allow other internet traffic.

To achieve this, Zscaler side configuration is pre-configured for this lab exercise. On the
Zscaler Gateway, deny the Sports website traffic and allow all other internet traffic.
Internet traffic from branch sites will be redirected to Zscaler.

VMware SD-WAN SD-WAN will establish a secure tunnel from VMware SD-WAN Gateway
to Zscaler cloud.


HOL lab environment has limited access to public internet. This lab will only
walk you through the steps to configure Secure Web Gateway.

User will not be executing any lab task for this module. This is an
conceptual lab and has no dependencies on other lab task.


HOL-2140-01-NET Page 155
HOL-2140-01-NET

VMware SD-WAN by VeloCloud, leverages both the Intel Architecture and the
Data Plate Development Kit (DPDK) to deliver fast data-plane performance for
virtualized SD-WAN, security, and other network functions, helping enterprises
reduce the costs associated with procuring and maintaining multiple hardware
appliances, increase WAN operational efficiencies, and improve the security
posture at the branch. The ability to innovate and add features through
updates to the VeloCloud software running on Intel-based hardware can
continue to meet evolving branch needs for application performance and
reliability.

Using Intel architecture to host the VMware SD-WAN appliance offers a number
of advantages. Responsiveness is enhanced with the ability to perform
functions such as accelerating encryption in hardware. Scaling edge devices
across Intel® platforms helps meet evolving network throughput requirements.
Integration with the VMware management and provisioning framework reduces
operational complexity and supports configuration across all locations. Co-
engineering by VMware and Intel has built optimizations into the solution using
the Intel developer tool set, taking advantage of capabilities built into the Intel
platforms used for the SD-WAN appliances. The Intel developer tools include
the following:

Data Plane Development Kit (DPDK) is a library of openstandard software

drivers originally developed by Intel that drive up packet-processing
performance by routing network packets around the Linux* kernel.

Intel® QuickAssist Technology (Intel® QAT) provides a software-enabled

foundation for security, authentication, and compression, significantly
increasing performance and efficiency.

Intel® AES New Instructions (Intel® AES-NI) accelerates key parts of the
encryption algorithm in hardware, making pervasive, end-to-end encryption
possible without degrading performance.

HOL-2140-01-NET Page 156

HOL-2140-01-NET

Secure Web Gateway

Use Case

For this lab exercise, Enterprise wants to redirect all the Internet traffic to cloud
security provider (in this case Zscaler) and based on the enterprise policy, block
sports websites and allow other internet traffic. To achieve this, Zscaler side
configuration is pre-configured for this lab exercise. On the Zscaler Gateway, deny
the Sports website traffic and allow all other internet traffic. Internet traffic from
branch sites will be redirected to Zscaler.

VMware SD-WAN SD-WAN will establish a secure tunnel from VMware SD-WAN
Gateway to Zscaler cloud.


Highlighted in red box are (a) Secure VPN tunnel from VMware SD-WAN
Gateway to 3rd party Security vendor and (b) SD-WAN overlay tunnel from
Branch Edge device to VMware SD-WAN Gateway.


Before we start executing the lab task, let us check the behavior for
internet traffic without Security (SWG)

HOL-2140-01-NET Page 157

HOL-2140-01-NET

Check Behavior for Internet Traffic

1. From the Chicago RDP session (Chi-client-rdp), access the Chicago Client
machine, click the Web Browser icon.
2. In the address bar of the Google chrome browser, enter ip.zscaler.com. This
shows that the current setup is without zscaler cloud security


Now, that we have validated that the Internet Traffic is not going through
Security inspection, Lets move on to our Task 1 for configuring security

Task 1: Configure Secure Web Gateway (SWG)

This Module contains the following lessons:

• Task 1: Secure Web Gateway (SWG) Configuration

• Task 2: Secure Web Gateway: Redirect User Traffic from Branch site to
Secure Web Gateway using Business Policy Rules
• Task 3: Validation (optional)

Objective: Create and Configure Secure web gateway using 3rd party Security Services

Summary Steps for Task 1:

A. NVS Site Configuration: Create and Configure a Non-VMware SD-WAN Site.

Secure IPsec Tunnel from VMware SD-WAN GW to Zscaler Gateway
B. Add a Non-VMware SD-WAN Site to the Configuration Profile.
C. Zscaler Configuration: Create an account, add VPN credentials, and add a
location. This is done from the Zscaler Portal.

Detailed Steps:

HOL-2140-01-NET Page 158

HOL-2140-01-NET

Detailed Steps: NVS Site Configuration

A. NVS Site Configuration: Create and Configure a Non-VMware SD-WAN Site.

Secure IPsec Tunnel from VMware SD-WAN GW to Zscaler Gateway

1. Double click on the chrome browser and access the Orchestrator.

HOL-2140-01-NET Page 159

HOL-2140-01-NET

Log into VeloCloud Orchestrator

The User credentials should be pre-populated

Username = [email protected]

Password = VMware1!

1. Click Sign In

HOL-2140-01-NET Page 160

HOL-2140-01-NET

Create New Non-VeloCloud Site

1. Configure Network Services by clicking on Configure

2. Then Network Services

Create Non-VeloCloud Site

1. Configure the New Non-VeloCloud Site window by clicking on New

HOL-2140-01-NET Page 161

HOL-2140-01-NET

1. Enter West-Zscaler in the Name text box.

2. From the Type drop-down menu, select Zscaler.

1. Primary VPN Gateway as 199.168.148.132

2. Click on Next to continue

A: Non-VeloCloud Site creation


The creation process can take up to 20-30 seconds, after which the West-
Zscaler window appears.


It has been noticed that sometimes the lab pod shows the error mssg as
"ValidationError".

We are aware of this issue and working on assigning more resources to the
VM's and this issue will be resolved during next lab update.

HOL-2140-01-NET Page 162

HOL-2140-01-NET

For now, if you encounter this error mssg "ValidationError", Close the New
VeloCloud site window and refresh the Orchestrator page.

To continue with the error message , From the browser page, hit browser
refresh and

Orchestrator -- > Configure -- > Network Services -- > Non VeloCloud Site --->
click on West-Zscaler and continue with next steps.

A: Configure Non-VeloCloud SIte

1. In the Authentication section, ensure that User FQDN is selected from the drop-
down menu. In the Authentication section, enter [email protected] in the
user credentials text box.
2. Click Advanced.
3. PSK: In the Primary VPN Gateway section, enter [email protected] in the
PSK text box
4. Select the Enable Tunnel(s) check box.
5. Click Save Changes.
6. Click Close

HOL-2140-01-NET Page 163

HOL-2140-01-NET

B: Add a Non-VMware SD-WAN Site to the Configuration

Profile

1. From the Orchestrator, In the navigator pane on the left, click Configure
2. Click on Profiles.
3. In the Configuration Profiles pane, click on Branch Internet Only Profile

HOL-2140-01-NET Page 164

HOL-2140-01-NET

B: Add a Non-VMware SD-WAN Site to the Configuration

Profile - Cont'

1. Click the Device tab.

2. Expand the Cloud VPN section.
3. Toggle Cloud VPN to On.
4. Select the Enable check box.
5. From the Non-VeloCloud Site drop-down menu, select West-Zscaler.
6. Click Save Changes.

HOL-2140-01-NET Page 165

HOL-2140-01-NET

Check Services

In the navigator pane on the left:

1. Click Monitor.
2. Then Network Services.

In the Non-VeloCloud Sites window, verify that West-Zscaler has a green status icon.


In this lab environment, your lab pod might not get connected to outside world,
and this will result the NVS site status as Red.

HOL-2140-01-NET Page 166

HOL-2140-01-NET

C: Zscaler Configuration:

The next step is to do the configuration from the Zscaler Portal. However, this is out of
the scope of this SD-WAN lab. This task in the field is generally performed by Security
Administrator.

Security Administrator will configure the Zscaler Portal with URL filtering. For example,
Block all Sports Website.


For your reference only. End-user will need an Zscaler Account. This task is not
performed as part of the lab activity. This is for understanding the workflow.

Sports category traffic is blocked from ZScaler Gateway.

HOL-2140-01-NET Page 167

HOL-2140-01-NET

Task 2: Redirect User Traffic from Branch for Security

Inspection: Configure Business Policy Rules

You create a business policy rule to redirect Internet traffic for security inspection.

Verify the third-party site status by verifying that the Internet traffic is being redirected
to a cloud-based security service that blocks access to certain Internet sites.

1. In the navigator pane on the left, click Configure > Profiles.

2. In the Configuration Profiles pane, click Branch Internet Only Profile (not
shown in Screenshot)
3. Click the Business Policy tab.
4. In the Business Policy pane, click New Rule. The Configure Rule dialog opens.

Configure Rule

HOL-2140-01-NET Page 168

HOL-2140-01-NET

1. Enter Internet Rule in the Rule Name text box.

2. In the Match section, select source as Any.
3. For Destination, click Define. The Destination details pane opens.
4. Configure the Destination details pane.
a. Click Internet.

5. In the Action section next to Network Service, click Internet Backhaul. The
Internet Backhaul selection pane opens.

1. From the Non-VeloCloud Site drop-down menu in the Internet Backhaul selection
pane, select West-Zscaler (You might need to scroll down to see this section.)
2. Click OK.

Click green Save changes to the Business Profile Tab.

Task 3: Validation: (Optional Step)


As the lab environment might not have the outside access, validation will not
work. Use this lab task to understand the workflow.

Verification Step:

From the Chicago Client RDP session, open the browser and type in "ip.zscaler.com"

HOL-2140-01-NET Page 169

HOL-2140-01-NET


As there is no public internet access, you might not get any response from the
browser.


This means that all the internet traffic from Branch site is getting redirected to
Zscaler Secure Gateway and getting inspected.

HOL-2140-01-NET Page 170

HOL-2140-01-NET

Conclusion
Congratulations on completing Module 8 and this lab on Getting Started with VMware
SD-WAN by VeloCloud!

If you are looking for additional information on VMware SD-WAN by VeloCloud, try one of
these:

• Click on this link

• Or go to https://tinyurl.com/yd7q2xs7

Please do provide your feedback on this lab. During this lab course, you have learned
through various lab task as follows,

Lab 1: Different type of account types to access Orchestrator

Lab 2: Zero Touch Provisioning, bringing up a branch site quickly

Lab 3: Understanding Overlay and Underlay concept along with Auto and User defined
settings.

Lab 4 : Profiles, configuring profiles and the role profiles play in configuring multiple
edge devices.

Lab 5 : Business Policy Framework : how to configure rules for application traffic to go
directly to internet or through the gateway.

Lab 6: Cloud VPN, different topologies supported and how to configure.

Lab 7: Influencing Application Behavior: Business Policy framework & Application

Performance, how to define traffic rules and identify different application flow and more.

Lab 8: Service Web Gateway with 3rd party vendors like Zscaler.

How to End Lab

To end your lab click on the END button.

HOL-2140-01-NET Page 171

HOL-2140-01-NET

Conclusion
Thank you for participating in the VMware Hands-on Labs. Be sure to visit
http://hol.vmware.com/ to continue your lab experience online.

Lab SKU: HOL-2140-01-NET

Version: 20210208-192545

HOL-2140-01-NET Page 172