SD-WAN

I thought I would share this information to help fellow Airheads. I had spent many hours trying to set up a Aruba Virtual Gateway as VPNC to function as a comparable alternative to a hardware based Gateway. I observed that the documentation as well as videos that are out there to set up a Hardware gateway will not help you with your virtual gateway. It was Zach Weenig who pointed me in the right direction in this post: Virtual Gateway Not working | SD-WAN (arubanetworks.com)

Before I will show you how I was able to successfully configure the Virtual Gateway, some observations:

• Do not attempt to set up a Virtual gateway without 'kickstarting' it through the basic guided setup.
• Do not expect the WAN tab in "Manage" to populate, there is no WAN interface on a Virtual Gateway.
• Do not create a gateway IP pool to assign your System IPs, it will not work, just assign IP addresses manually.
• Do not change interface settings in Advanced mode (you will receive warnings that you should not change interfaces on Virtual Gateways, so I guess it messes things up).
• Do not attempt to deploy the Virtual gateway in Advanced Guided Setup (you will receive errors).
• Not sure is this was a fluke, but I was unable to configure OSPF in basic mode, however if you switch to advanced mode, you can configure it.
• I was unsuccessful in using ArubaOS_VGW_10.5.1.0_89166, this device would not register in Aruba Central, I used ArubaOS_VGW_10.4.1.1_89267 for this instruction.
• Do not click the "Next" button too quickly, you will receive "internal server errors"
• Have patience, at times it took my 6 hours for the Virtual Gateway's initial sync with the group configuration, once synchronized it works fine and is responsive.

Steps:

Prerequisites:

• Assuming a decent understanding of ESXi
• Follow these steps to install the Virtual Gateway on your ESXi host, this will provide the guidelines on the resources required. Pay special attention to the steps to generate the user data in Aruba Central, this will create your licensed Virtual Gateway:
  • Deploying Aruba Virtual Gateways (arubanetworks.com)
  • Deploying Aruba Virtual Gateways in ESXi (Manual Mode) (arubanetworks.com)
• Make sure your gateway has internet connectivity and either has a public IP address or you forward port 4500, 500 is not needed

Warning:

Following this manual:  Deploying VPNC | Validated Solution Guide (arubanetworks.com), did not result in a working Virtual Gateway, my suggestion is to use the procedure below 😊

Step 1: Create a new VPNC AOS 10 group for VPNCs and Gateways

Go to: Global > Groups click the "+" sign in the upper right corner.

Give your group a name and click "add"

Step 2: Move Virtual Gateway to this group

I did not find this still in the manuals but doing it will help you set up the Virtual Gateway as frictionless as possible.

Go to Global > and click on the "Gear" icon of Groups

Now move your new Virtual Gateway to the newly created and UNCONFIGURED group

Click the Move button

Wait until your device is actually moved to this group and go to the next step.

Step 3: Go to the Device Configuration of the new group

Go to Global > Groups > Devices > Configuration

IMPORTANT! Cancel the guided setup, first you need to verify if we are in Advanced or Basic Mode! As mentioned, you can only create the initial configuration in Basic Mode!

If the device says Basic Mode in the upper right corner this means you are actually in Advanced Mode. Change it to Basic Mode by clicking on it, and then press the Guided Setup again.

Step 5 (group level): Set VPNC model

Due to the fact that there is already a Virtual Gateway in your group you can only select "Virtual Gateway. Select this model type and enable automatic group clustering, then click Next

Step 6 (group level): Configure Time

Configure time settings to your region and click next

Step 7 (group level): Configure DNS

Configure DNS, I used the settings below but this should be to your specifications, click next

Step 8 (group level): Add Management users

Disclaimer: I was unable to use TACACS, so cannot validate how TACACS works

I created a local user. I gave this user the Super User Role. This allows me to write erase it through Aruba Central in case I want to wipe it for any reason. Click Save and then Next

You will be presented with a summary page, click finish, and then continue to move to the LAN settings

Step 9: Add VLANs

Add VLANs to your specifications, DO NOT CREATE A SYSTEM VLAN this will be done later, click next when you are finished defining the LAN and WAN Vlans

Step 10 (group level): Assign the VLANs to the appropriate ports

Create VLAN information, I used Access Ports and chose locally significant VLANs. Enabling LLDP is your choice, I did not interfere with the deployment.

Click next and you will be represented with the Overview page for LAN settings. Click finish

Step 11 (group level): Enable Health Checks

Slide the Enable Health Checks to the right to enable it and click next, this will show the summary page, review and click Finish

Step: 12 (group level): Configure Tunneling and Routing

The first step is to configure Static and default routes, I chose to do this at the device level later and skipped it here. Do not configure this and click next.

Step 13 (group level): Enable SD-WAN Overlay

I am configuring a VPNC, in my case for Microbranches. I chose Enable SD-WAN Overlay and did not enable "Forward Branch internet traffic to a specific Next-Hop router IP using PBR". Click Next

Step 14: Community lists, Prefix lists, Route maps

I left this setting untouched for now, you can configure it to your specifications, but this can be done later in basic or advanced mode. I choose to do this later. Click next until you reach the Summary then click Continue

Once finished you will see something similar to this.

Step 15(device level): Validate the configuration of your Virtual Gateway

Go to your ESXi host and see if you can access it using your username and password. I can imagine that TACACS might give issues due to the system IP not being configured (not validated). But with a local account you should be able to access the gateway. Be patient, this can take some time (between 5 minutes and 6 hours in my case)

Step 16 (device level): Enter device level guided setup and set up system IP address

Go to the VPNC Group and then to Manage > Devices > List

Select the Device

Now go to Manage > Device > Config

Click guided setup in Basic Mode and configure the System IP address, follow the same procedure as Step 3 to set your mode to Basic Mode. 

Step 17 (device level): Set Hostname

Configure the Hostname

Click next and then continue

Step 18 (device level): Configure LAN settings

The VLANs should auto-populate. Add the IP addresses. As you can see VLAN 4087 has been added automatically. This is the SystemVLAN

Step 19 (device level): Configure LAN ports

Click the "+" sign to add the VLAN to Port mapping.

Click next (summary overview) and then finish

Step 20 (device level): WAN settings health check

No need to change these settings for the health, just click next.

Step 21 (device level): WAN settings WAN Details

In my case I selected the internet bound VLAN, WAN type internet. I also added the Public IP address, although this is optional. Click next and finish until you get to the tunnels and routing section.

Step 22 (device level): Tunnel & Routing

I only configured the default route. When the configuration is synced we will set up OSPF later through the advanced mode. Configure the default route and click next.

Do not change the other settings just keep clicking next until you reach finish, and wait until the configuration is synced, be patient, this can take a while. You can verify that configuration is synced by changing device or group level configuration to Advanced and go to Config Audit

Step 23 (device level): Configure routing

Once the configuration is synced, I configured OSPF routing. For the purpose of this document I kept it simple to the following steps:

• Enable OSPF
• Set a router ID
• Add an area
• Redistribution
• Configure all the interfaces that needed to be advertised.

I was unable to find passive interface, this seemed most appropriate for the system VLAN, however I could not find this setting

For the most part I am now a happy camper, my Microbranch can connect to my datacenter

Ping/traceroute/ipconfig from Microbranch PC

I thought I would share this information to help fellow Airheads. I had spent many hours trying to set up a Aruba Virtual Gateway as VPNC to function as a comparable alternative to a hardware based Gateway. I observed that the documentation as well as videos that are out there to set up a Hardware gateway will not help you with your virtual gateway. It was Zach Weenig who pointed me in the right direction in this post: Virtual Gateway Not working | SD-WAN (arubanetworks.com)

Before I will show you how I was able to successfully configure the Virtual Gateway, some observations:

• Do not attempt to set up a Virtual gateway without 'kickstarting' it through the basic guided setup.
• Do not expect the WAN tab in "Manage" to populate, there is no WAN interface on a Virtual Gateway.
• Do not create a gateway IP pool to assign your System IPs, it will not work, just assign IP addresses manually.
• Do not change interface settings in Advanced mode (you will receive warnings that you should not change interfaces on Virtual Gateways, so I guess it messes things up).
• Do not attempt to deploy the Virtual gateway in Advanced Guided Setup (you will receive errors).
• Not sure is this was a fluke, but I was unable to configure OSPF in basic mode, however if you switch to advanced mode, you can configure it.
• I was unsuccessful in using ArubaOS_VGW_10.5.1.0_89166, this device would not register in Aruba Central, I used ArubaOS_VGW_10.4.1.1_89267 for this instruction.
• Do not click the "Next" button too quickly, you will receive "internal server errors"
• Have patience, at times it took my 6 hours for the Virtual Gateway's initial sync with the group configuration, once synchronized it works fine and is responsive.

Steps:

Prerequisites:

• Assuming a decent understanding of ESXi
• Follow these steps to install the Virtual Gateway on your ESXi host, this will provide the guidelines on the resources required. Pay special attention to the steps to generate the user data in Aruba Central, this will create your licensed Virtual Gateway:
  • Deploying Aruba Virtual Gateways (arubanetworks.com)
  • Deploying Aruba Virtual Gateways in ESXi (Manual Mode) (arubanetworks.com)
• Make sure your gateway has internet connectivity and either has a public IP address or you forward port 4500, 500 is not needed

Warning:

Following this manual:  Deploying VPNC | Validated Solution Guide (arubanetworks.com), did not result in a working Virtual Gateway, my suggestion is to use the procedure below 😊

Step 1: Create a new VPNC AOS 10 group for VPNCs and Gateways

Go to: Global > Groups click the "+" sign in the upper right corner.

Give your group a name and click "add"

Step 2: Move Virtual Gateway to this group

I did not find this still in the manuals but doing it will help you set up the Virtual Gateway as frictionless as possible.

Go to Global > and click on the "Gear" icon of Groups

Now move your new Virtual Gateway to the newly created and UNCONFIGURED group

Click the Move button

Wait until your device is actually moved to this group and go to the next step.

Step 3: Go to the Device Configuration of the new group

Go to Global > Groups > Devices > Configuration

IMPORTANT! Cancel the guided setup, first you need to verify if we are in Advanced or Basic Mode! As mentioned, you can only create the initial configuration in Basic Mode!

If the device says Basic Mode in the upper right corner this means you are actually in Advanced Mode. Change it to Basic Mode by clicking on it, and then press the Guided Setup again.

Step 5 (group level): Set VPNC model

Due to the fact that there is already a Virtual Gateway in your group you can only select "Virtual Gateway. Select this model type and enable automatic group clustering, then click Next

Step 6 (group level): Configure Time

Configure time settings to your region and click next

Step 7 (group level): Configure DNS

Configure DNS, I used the settings below but this should be to your specifications, click next

Step 8 (group level): Add Management users

Disclaimer: I was unable to use TACACS, so cannot validate how TACACS works

I created a local user. I gave this user the Super User Role. This allows me to write erase it through Aruba Central in case I want to wipe it for any reason. Click Save and then Next

You will be presented with a summary page, click finish, and then continue to move to the LAN settings

Step 9: Add VLANs

Add VLANs to your specifications, DO NOT CREATE A SYSTEM VLAN this will be done later, click next when you are finished defining the LAN and WAN Vlans

Step 10 (group level): Assign the VLANs to the appropriate ports

Create VLAN information, I used Access Ports and chose locally significant VLANs. Enabling LLDP is your choice, I did not interfere with the deployment.

Click next and you will be represented with the Overview page for LAN settings. Click finish

Step 11 (group level): Enable Health Checks

Slide the Enable Health Checks to the right to enable it and click next, this will show the summary page, review and click Finish

Step: 12 (group level): Configure Tunneling and Routing

The first step is to configure Static and default routes, I chose to do this at the device level later and skipped it here. Do not configure this and click next.

Step 13 (group level): Enable SD-WAN Overlay

I am configuring a VPNC, in my case for Microbranches. I chose Enable SD-WAN Overlay and did not enable "Forward Branch internet traffic to a specific Next-Hop router IP using PBR". Click Next

Step 14: Community lists, Prefix lists, Route maps

I left this setting untouched for now, you can configure it to your specifications, but this can be done later in basic or advanced mode. I choose to do this later. Click next until you reach the Summary then click Continue

Once finished you will see something similar to this.

Step 15(device level): Validate the configuration of your Virtual Gateway

Go to your ESXi host and see if you can access it using your username and password. I can imagine that TACACS might give issues due to the system IP not being configured (not validated). But with a local account you should be able to access the gateway. Be patient, this can take some time (between 5 minutes and 6 hours in my case)

Step 16 (device level): Enter device level guided setup and set up system IP address

Go to the VPNC Group and then to Manage > Devices > List

Select the Device

Now go to Manage > Device > Config

Click guided setup in Basic Mode and configure the System IP address, follow the same procedure as Step 3 to set your mode to Basic Mode. 

Step 17 (device level): Set Hostname

Configure the Hostname

Click next and then continue

Step 18 (device level): Configure LAN settings

The VLANs should auto-populate. Add the IP addresses. As you can see VLAN 4087 has been added automatically. This is the SystemVLAN. Click next

Step 19 (device level): Configure LAN ports

Click the "+" sign to add the VLAN to Port mapping.

Click next (summary overview) and then finish

Step 20 (device level): WAN settings health check

No need to change these settings for the health, just click next.

Step 21 (device level): WAN settings WAN Details

In my case I selected the internet bound VLAN, WAN type internet. I also added the Public IP address, although this is optional. Click next and finish until you get to the tunnels and routing section.

Step 22 (device level): Tunnel & Routing

I only configured the default route. When the configuration is synced we will set up OSPF later through the advanced mode. Configure the default route and click next.

Do not change the other settings just keep clicking next until you reach finish, and wait until the configuration is synced, be patient, this can take a while. You can verify that configuration is synced by changing device or group level configuration to Advanced and go to Config Audit

Step 23 (device level): Configure routing

Once the configuration is synced, I configured OSPF routing. For the purpose of this document I kept it simple to the following steps:

• Enable OSPF
• Set a router ID
• Add an area
• Redistribution
• Configure all the interfaces that needed to be advertised.

I was unable to find passive interface, this seemed most appropriate for the system VLAN, however I could not find this setting

For the most part I am now a happy camper, my Microbranch can connect to my datacenter

Ping/traceroute/ipconfig from Microbranch PC

------------------------------
Martijn van Overbeek
Architect, Netcraftsmen a BlueAlly Company
------------------------------