EdgeConnect SD-WAN Multi-Site
This procedure describes the process for configuring EVPN-VXLAN between the EdgeConnect SD-WAN gateway and the border using HPE Aruba Networking Central and Orchestrator.
In this design, Aruba EdgeConnect SD-WAN gateways integrate with fabrics deployed at each site to learn the segmentation information (VRFs and/or User Roles) and transport it natively in the SD-WAN (IPSEC) to avoid MTU or fragmentation concerns.
To learn more about this design, consult the Campus Design guide or the NetConductor Architecture Guide.
Table of contents
Prerequisites
This procedure assumes initial configuration of EdgeConnect following the Branch Deployment Guide:
- EdgeConnect is online and managed by Orchestrator, and
- A NetConductor fabric has been deployed according to the instructions on the Underlay and Overlay pages.
Before beginning, ensure that OSPF is operational in the underlay between the border switches and the EdgeConnect SD-WAN gateways. OSPF is essential for exchanging reachability information between loopback interfaces, necessary for forming eBGP adjacencies and establishing VXLAN tunnels.
Additionally, confirm that the EdgeConnect SD-WAN gateway has a loopback interface configured using loopback orchestration, and that loopbacks 0 and 1 set up on border switches. Ensure that jumbo MTU settings are configured on both the EdgeConnect and the border switches.
Configure MTU
Jumbo MTU is necessary for VXLAN tunnels. EdgeConnect SD-WAN gateways support a maximum MTU of 9000. This step will configure the MTU to 9000 on both the EdgeConnect gateways and the border switches. It is essential that adjacent devices have the same MTU setting to establish OSPF neighbor relationships.
EdgeConnect SD-WAN Gateways
Step 1 Log into HPE Aruba Networking Orchestrator.
Step 2 Hover on Configuration. In the Networking section and click Interfaces.
Step 3 Select HERCP-EC-1 in the sidebar.
Step 4 Click the Edit icon next to LAN0.
Step 5 Select the MTU in the lan0 row and change it from 1500 to 9000.
Step 6 Repeat step 5 for the lan1 interface and click Save.
Step 7 Repeat steps 1 to 6 for HERCP-EC-2.
Border Switches
Step 1 Log into HPE Aruba Networking Central.
Step 2 In the Global dropdown, select the switch group. In this sample procedure, the group is HERCP-FAB.
Step 3 On the left menu, select Devices.
Step 4 Click Switches, then select Config.
Step 5 Enable the MultiEdit Toggle.
Step 6 Select the two border switches.
Step 7 Click Edit Config.
Step 8 Modify the interfaces connected to EdgeConnect with the following configuration and click Save.
interface 1/1/22
description HERCP-EC
mtu 9000
ip mtu 9000
interface 1/1/23
description HERCP-EC
mtu 9000
ip mtu 9000
Define Roles
Roles must be created manually on Orchestrator to match the roles in HPE Aruba Networking Central. Roles are global elements in both HPE Aruba Networking Central and Orchestrator.
Step 1 Log into HPE Aruba Networking Central.
Step 2 In the filter dropdown, select Global, if it is not already selected. On the left menu, select Security.
Step 3 Select the Client Roles page.
Step 4 Make a note of all the roles and their Policy Identifiers.
Step 5 Log into Orchestrator and click Configuration. In the Overlays and Security section, under the Security subsection, click Roles.
Step 6 Click Add Role.
Step 7 Enter CONTRACTOR in the Role field and 200 in the GPID field.
Step 8 Repeat step 6 and 7 for additional roles.
Step 9 Click Save.
Note: Roles are case-sensitive. Ensure that the name and GPID match exactly in HPE Aruba Networking Central and Orchestrator
Adding Segments
EdgeConnect does not interface with the segments, but they must be readable. These steps add the required segments to Orchestrator.
Step 1 Hover on Configuration. In the Networking section, Routing subsection, and click Routing Segmentation (VRF).
Step 2 Click +Add Segment
Step 3 Enter Infrastructure for Segment Name, then click Save.
Step 4 Repeat the steps above to add the Guest and Corporate segments.
Configure Templates
BGP Route Maps
This template will configure a route-map, used later in this procedure, to set the BGP Local Preference to 250.
Step 1 Hover on Configuration. In the Templates & Policies section, click Templates.
Step 2 In the Default Template Group (or the assigned template applied to EdgeConnect), click Show All.
Step 3 Click and drag the Route Redistribution Maps from Available templates to Active Templates.
Step 4 For the Route Redistribution Maps template, select BGP Inbound in the **Redistribute Routes to dropdown, .
Step 5 Click Add Map.
Step 6 Enter a Map Name of RTMAP-BGP-HIGHER-LP and click Add.
Step 7 Click Add rule. Complete the following Set Actions fields, then click Add.
- Permit: checked
- BGP Local Preference: checked
- BGP Local Preference: 250
Step 8 Under the Template Group, click Save.
VNI to Segment Mapping and VTEP Source
VXLAN VNIs are mapped to EdgeConnect segments using a template that applies to all EdgeConnect devices. These VNIs correspond to the same Layer 3 VNIs defined in the NetConductor Fabric Wizard.
Step 1 Hover on Configuration. In the Templates & Policies section, click Templates.
Step 2 In the Default Template Group, (or the assigned template applied to EdgeConnect), click Show All.
Step 3 Click and drag the VXLAN template from Available templates to Active Templates.
Step 4 In the VXLAN template, select lo20000 in the VTEP source interface dropdown.
Step 5 In the VXLAN Template, VNI Mapping section, click Add.
Step 6 On the Add VNI Mapping page, assign the following settings, then click OK.
- VNI: 10000
- Segment: Infrastructure
- Firewall zone: LAN
- Fallback role: Don’t apply
Step 7 Repeat the above steps for the following VNIs.
VNI | Segment |
---|---|
20000 | Corporate |
30000 | Guest |
Step 8 In the Template Group window, click Save.
Configure BGP EVPN on EdgeConnect
This procedure configures the eBGP adjacency between the EdgeConnect gateways and the border switches. EdgeConnect gateways are in BGP ASN 65002 and the NetConductor fabric is in BGP ASN 65001. In order to maintain border symmetry, a route-map is used to set the BGP local preference. After the BGP adjacency is configured, BGP is enabled in each segment to import the routes from EVPN into the routing table.
Step 1 Hover on Configuration. In the Networking section, Routing subsection, click BGP.
Step 2 Select the first EdgeConnect, HERCP-EC-1, from the sidebar.
Step 3 Click the Edit icon (pencil) beside the default segment.
Step 4 Assign the following setting. The Router ID is the loopback IP for the EdgeConnect.
- Enable BGP Toggle: Enabled
- Autonomous system number: 65002
- Router ID: 10.14.255.73
Step 5 Under BGP Peers, click Add.
Step 6 Assign the following settings, then click Ok.
- Peer IP: 10.10.1.4
- Peer Adjacency: Multi-Hop
- EVPN Peer: checked
- Peer ASN: 65001
- Inbound route map: RTMAP-BGP-HIGHER-LP
Note: The peer IP is the Loopback0 interface on the border.
Step 7 Repeat step 4 to 5 to create a BGP peer for the second border.
Step 8 Click Save.
Step 9 Click the Edit icon (pencil) beside the Infrastructure segment. Assign the following settings, then click Save.
- Enable BGP: Enabled
- Autonomous system number: 65002
- Route Target: 65001:10000
- Router ID: 10.14.255.73
Step 10 Repeat step 9 for the Guest and Corporate segments.
Step 11 Repeat Steps 2 to 8 for the second EdgeConnect HERCP-EC-2.
Note: When creating the BGP peering for the second EdgeConnect, do not change the inbound route-map. The second EdgeConnect should use the default local-preference of 100, while the primary EdgeConnect should have a local-preference of 250.
Configure BGP EVPN on the Border Switches
This procedure configures the border switches and their eBGP adjacency with the EdgeConnect gateways. EdgeConnect gateways are in BGP ASN 65002 and the NetConductor fabric is in BGP ASN 65001. A route-map that sets the BGP local-preference is used to prefer routes from the primary EdgeConnect gateway. An AS path list matches routes originating only from the EdgeConnect gateway’s autonomous system and sets the local-preference to 250. This configuration is then applied to the primary EdgeConnect gateway neighbor.
BGP next-hop-self is configured on the BGP adjacencies to the route-reflectors in the fabric. This required configuration sets the border as the next-hop for any routes advertised in the fabric from the EdgeConnect gateways.
Step 1 Log into HPE Aruba Networking Central.
Step 2 In the Global dropdown, select the switch group. In this sample procedure, the group is HERCP-FAB.
Step 2 On the left menu, select Devices.
Step 3 Select Switches, then select Config.
Step 4 Enable the MultiEdit toggle.
Step 5 Select the two border switches.
Step 6 Click Edit Config.
Step 7 Add the following configuration to the MultiEdit Interface and click Save.
ip aspath-list HERNDON-AS-MATCH seq 10 permit 65002$
route-map INCREASE-LOCAL-PREF permit seq 10
match aspath-list HERNDON-AS-MATCH
set local-preference 250
router bgp 65001
neighbor 10.14.255.73 remote-as 65002
neighbor 10.14.255.73 ebgp-multihop 5
neighbor 10.14.255.73 update-source loopback 0
neighbor 10.14.255.74 remote-as 65002
neighbor 10.14.255.74 ebgp-multihop 5
neighbor 10.14.255.74 update-source loopback 0
address-family l2vpn evpn
neighbor 10.14.255.73 activate
neighbor 10.14.255.73 route-map INCREASE-LOCAL-PREF in
neighbor 10.14.255.73 send-community extended
neighbor 10.14.255.74 activate
neighbor 10.14.255.74 send-community extended
Step 8 Use the MultiEdit Interface to add the following configuration, then click Save.
router bgp 65001
address-family l2vpn evpn
neighbor 10.10.1.0 next-hop-self
neighbor 10.10.1.1 next-hop-self
Routing Considerations
After a NetConductor Fabric is deployed and extended via SD-WAN multi-site, the fabric VRFs may become isolated from the rest of the network. Make sure to plan for and address this. If one of the following methods is not implemented, the fabric remains unreachable.
Common methods to prevent VRF isolation include:
- If VRF-based segmentation is already in place, continue extending the VRFs at the hub EdgeConnects using an EVPN handoff (if supported by the LAN-side device) or a VRF-lite handoff.
- If VRF segmentation is not widely used in the environment, consider merging the VRFs through a firewall at the hub. Based on policy, the firewall can then route traffic back into the global routing table.