Aruba VPNC Group Configuration
The VPNC is configured in two steps. First, the group level configuration includes all the common configurations such as NTP, DNS, and OSPF area. A majority of the configuration is performed at the group level. After the group is configured, device level configuration can be applied. Device level configuration includes entering device-specific information such as IP addresses, hostnames, etc.
Table of contents
- Aruba VPNC Group Configuration
- Configure the VPNC Group
- Select the Hardware Model for the VPNC Group
- Set the VPNC Group System Time Parameters
- Select a DNS Server for the VPNC Gateway
- Create a Management User Account
- Create VLANs for Each Ethernet Port
- Enable OSPF Globally
- Define the Gateway Pool
- Assign the VLANs to the LAN Ports
- Enable Tunnel Orchestrator Peering
- Configure Route Filtering
- Configure the Overlay Routing
- Redistribute SD-WAN Routes
- Configure Aggregation Routes
- Configure Static Routes
- Configure VPNC Devices
- Configure VPNC Device
- Onboard VPNC to Central
- Configure the VPNC Group
Configure the VPNC Group
This procedure configures groups for VPNCs.
Step 1 In the Global filter dropdown, search or select the VPNC-RSVDC group.
Step 2 On the left navigation pane, in the Manage section, select Devices.
Step 3 Select the Gateways tab, then click the Config (gear) icon in the upper right corner.
Step 4 Click Cancel, then click Exit.
Select the Hardware Model for the VPNC Group
Only one VPNC gateway model can be assigned for each group.
Step 1 On the Gateways tab, in the System section, select Model.
Step 2 In the VPNC Model dropdown, select the hardware model for the VPNC gateway group; for example: A9240.
Step 3 Use the toggle to disable Automatic Group Clustering, since clustering assigned at the site level.
Note: Clustering is required for MicroBranch and can be left enabled if needed. Exercise caution since other devices brought into the group are clustered.
Step 4 Click Save Settings in the bottom right corner.
Set the VPNC Group System Time Parameters
Use this procedure to set the network time protocol (NTP) parameters and time zone to keep the VPNC clocks synchronized.
Step 1 On the Gateways tab, in the System section, select Time.
Step 2 In the Public NTP Servers table, click the + (plus sign) to add a public NTP server.
Step 3 In the IPv4 Address/FQDN column, enter pool.ntp.org or other NTP server address.
Step 4 Check Burst Mode if this feature is supported by the NTP server. Burst mode provides faster time synchronization.
Step 5 In the Timezone dropdown, choose the appropriate time zone, then click Save Settings.
Select a DNS Server for the VPNC Gateway
Specify the DNS server(s) the VPNC gateway uses to communicate with Central.
Step 1 On the Gateways tab, in the System section, select DNS.
Step 2 Select Specify DNS servers.
Step 3 In the Domain name text box, enter a domain name; for example: example.local.
Step 4 In the Public DNS Servers table, click the + (plus sign) to assign a public DNS server. For a virtual gateway VPNC, leave the default DNS provided by the cloud provider and go to step 6.
Step 5 In the Provider dropdown, select one of the listed providers, or select Alternate DNS if the desired server is not in the list.
Step 6 Click Save Settings.
Note: The gateway uses this DNS server for DNS lookups. Clients do not use this DNS server.
Create a Management User Account
Create a management user account for CLI to access the gateways.
Step 1 On the Gateways tab, in the System section, select Management User.
Step 2 In the Local management users table, click the + (plus sign).
Step 3 In the Add Management User table, assign the following settings, then click Save.
- Name: admin
- Password: password
- Retype Password: password
- Role: Super user role
Note: You can add additional users with other roles as needed.
Step 4 Click Save Settings in the bottom right corner.
Create VLANs for Each Ethernet Port
Create five VLANs on the VPNCs including one each for WAN type of MPLS and Internet, and two for the LAN connections and OSPF peering to the campus infrastructure. The Gateway Pool VLAN is for the gateway’s System IP address, configured for auto assignment.
Step 1 On the right side, click Advanced mode.
Step 2 Go to Interface, then select VLANs.
Step 3 In the VLANs table, click the + (plus sign).
Step 4 In the New VLAN window, configure the following VLANs, and click Save Settings.
VLAN Name | VLAN ID |
---|---|
MPLS | 2086 |
INET | 2084 |
GATEWAY_POOL | 2085 |
OSPF_LAN_UPLINK_1 | 2001 |
OSPF_LAN_UPLINK_2 | 2002 |
Note: VLANs 4080 and above are reserved. If these VLANs must be used, contact Aruba support.
Step 5 Verify the VLAN information in the summary table, then click Save Settings in the bottom right corner.
Step 6 Configure the following settings on each VLAN in the IP Address Assignment section.
Interface | Enable Routing | IP Assignment | NAT Outside |
---|---|---|---|
MPLS | Checked | Static | |
INET | Checked | Static | Checked |
GATEWAY_POOL | Checked | Gateway Pool | |
OSPF_LAN_UPLINK_1 | Checked | Static | |
OSPF_LAN_UPLINK_2 | Checked | Static |
Caution: DO NOT enable NAT on the OSPF_LAN_UPLINK, MPLS, or Gateway Pool VLANs.
Step 8 Enable OSPF for the Gateway Pool, OSPF_LAN_Uplink_1, and OSPF_LAN_Uplink_2 VLANs.
- Select the OSPF_LAN_UPLINK_1.
- Enable OSPF.
- Enter the OSPF area: 0.0.0.0.
- Click Save Settings.
- Repeat these steps for the OSPF_LAN_Uplink_2 and Gateway Pool VLANs.
Enable OSPF Globally
Although OSPF has been enabled for the VLAN, it is not enabled globally. The following procedure enables OSPF globally so the interfaces can participate in OSPF.
Step 1 On the Gateway tab in Advanced Mode, go to Routing > OSPF.
Step 2 Enable the OSPF toggle.
Step 3 Enter the Area ID: 0.0.0.0.
Define the Gateway Pool
In the previous sections, the Gateway Pool VLAN was defined. However, it was not configured as a Gateway Pool. This procedure completes the Gateway Pool configuration, which automatically assigns Gateway IP Addresses.
Step 1 In Advanced Mode, go to Interface and select Pool Management. Expand the Gateway Pool option.
Step 1 Select the + (plus sign) to create a Gateway Pool.
Step 3 Enter the pool of IP Addresses for the Gateway Pool.
Enter the Start IP address: 10.0.6.111.
Enter the End IP address: 10.0.6.120.
Click Save Settings.
Step 4 Go to Interface > VLANs.
Step 5 Select the Gateway Pool VLAN.
- Set the IP Assignment to Gateway Pool.
- Set the VLAN Pool to Gateway Pool.
- Click Save Settings
Step 6 Go to System > General.
Step 7 Expand the System IP Address and select VLAN 2085 (the Gateway Pool VLAN).
Step 8 Click Save Settings
Assign the VLANs to the LAN Ports
After each VLAN is configured appropriately, the VLANs must be assigned to the correct ports.
Later in this guide, the VPNC is set up for One Touch Provisioning, so it is important to assign the correct port layout.
Step 1 Go to Gateways > Config. On the right side, click Advanced mode.
Step 2 Go to Interface > Ports.
Step 3 In the LAN ports/port channel table, click the + (plus sign).
Step 4 Select all the ports to be used. This example uses Ports Ge 0/0/0 - Ge 0/0/3.
Step 5 Configure the Interface Type, VLAN ID and Description, and LLDP on each port, as shown below.
Port ID | Interface Type | VLAN ID | Description |
---|---|---|---|
Ge 0/0/0 | LAN | 2001 | OSPF_LAN_UPLINK_1 |
Ge 0/0/1 | LAN | 2002 | OSPF_LAN_UPLINK_2 |
Ge 0/0/2 | WAN | 2086 | MPLS |
Ge 0/0/3 | WAN | 2084 | INET |
Note: Before registering an appliance with Central, interface Ge 0/0/1 can be reserved for One Touch Provisioning. Do not use this interface as a WAN port if DHCP addressing is required (such as an Internet circuit).
Step 6 Verify the port information in the summary table.
Enable Tunnel Orchestrator Peering
In this procedure, the SD-WAN overlay orchestrator is enabled to automate establishing tunnels.
Step 1 On the Gateways tab in Basic Mode, go to Tunnels & Routing and select SD-WAN Overlay.
Note: In Advanced Mode, go to VPN > SD-WAN Overlay and switch the overlay mode to orchestrated.
Step 2 Click Overlay Orchestrator Peering, then click Save Settings.
Configure Route Filtering
The VPNC filters out all point-to-point routes, 172.18.X.X/16, from the campus. This procedure creates a prefix list and a route map to accomplish the filtering.
Step 1 On the Gateways tab in Basic Mode, go to Tunnels & Routing and select Route Maps.
Step 2 Click the Prefix List dropdown, then click the + (plus sign) to create a new prefix list.
Step 3 Enter the following settings for the Point-To-Point prefix list.
- Name: PTP
- Sequence: 10
- Action: Deny
- Address: 172.18.96.0
- Mask: 255.255.224.0
- GE: 29
Step 4 Click the + (plus sign) to create a new prefix list. Enter the following settings for a Catch all prefix list.
- Name: ANY
- Sequence: 20
- Action: Permit
- Address: 0.0.0.0
- Mask: 0.0.0.0
- LE: 32
Step 5 Click Save Settings.
Note: The LE and GE configurations are required to enable filtering or allow fewer specific prefixes. In this example, the point-to-point prefix list matches only network 172.18.96.0/19. It would not match the more specific route of 172.18.96.8/30.
Step 6 Expand the Route Map dropdown, and click the + (plus sign) to create a new route map.
Step 7 Enter the following settings for the route map.
- Name: Block_PTP
- Sequence Number: 10
- Action: Permit
Step 8 In the Match box, click the + (plus sign) to add a match.
Step 9 Set the type to IP Address and set the value to the PTP Prefix list.
Step 10 Click the + (plus sign) to add another match. Set the type to IP Address and set the value to the ANY Prefix list.
Step 11 Click Save, then click Save Settings.
Configure the Overlay Routing
Use this procedure to redistribute OSPF routes into the overlay so branches can reach corporate prefixes. Aruba SD-WAN automatically translates route costs between the overlay and data center to ensure symmetry.
Step 1 On the Gateways tab, in the Tunnels & Routing section, select Overlay Routing.
Step 2 On the Overlay Routing page, expand Redistribution to display the redistribution table.
Step 3 In the Redistribution table, click the + (plus sign) to create a new redistribution rule.
Step 4 In the Source Protocol dropdown, select OSPF. Static, connected, and BGP routes also are supported, though not shown in this example.
Step 5 In the Filter dropdown, select Intra Area, depending on the OSPF routes to be redistributed. Other options can be selected.
Step 6 In the Route Map dropdown, select the Block_PTP route map created in the previous procedure.
Step 7 Click Save Settings.
Redistribute SD-WAN Routes
Step 1 In Advanced Mode, select the Routing tab.
Step 2 Select OSPF.
Step 3 Select Redistribution and click the + (plus sign).
Step 4 Select the source protocol SDWAN Overlay. Select the Route Type E1 and set the Cost; in this case: 100.
Step 5 Click Save Settings in the bottom right corner.
Configure Aggregation Routes
This procedure uses the DC aggregation routes to summarize the 10.X.X.X addresses in the campus into one summary address. The VPNC advertises the summary route 10.0.0.0/13 to each Branch Gateway. This is optional; however, it is recommended to summarize as much as possible to protect the route table size.
Step 1 On the Gateways tab, in the SDWAN & Routing section, select Overlay Routing.
Step 2 On the Overlay Routing page, expand Data Center Aggregate Routes to display the DC Aggregate Routes table.
Step 3 Uncheck Allow branch to branch. If selected, the VPNC becomes a transit site allowing branches to communicate through the VPNC. This is typically unwanted if all applications are centralized at the data center.
Step 4 In the DC Aggregate Routes table, click the + (plus sign) to create a new aggregate route. In this example, the 10.0.0.0/13 summary is used to summarize the corporate address space.
Step 5 In the IP Address column, enter 10.0.0.0, and in the Mask column, enter 255.248.0.0.
Step 6 Click Save Settings.
Configure Static Routes
This procedure configures The VPNC gateways with the routes needed to form IPSEC tunnels over the INET and MPLS transports. The INET route is provided via a static default-gateway and the MPLS route is provided via a static route. In this example, the MPLS network can be summarized with the 100.100.7.0/24 prefix. These routes are applied at the group level, since they are the same for all gateways in the group; however, they could be applied at the device level if the next-hops differ. BGP also can be configured on the MPLS circuit to provide these routes, if desired. While the default gateway is configured as part of the OTP process of the gateway, also configure it at the group level.
In the first step illustrated below:
Step 1 In Advanced Mode select the Routing tab.
Step 2 Select IP Routes.
Step 3 Expand IP Routes.
Step 4 Click the + (plus sign) to create a new static route.
Step 5 Enter the following information to create the MPLS route. - Destination IP address: 100.100.7.0 - Destination network mask: 24 - Forwarding settings: *Use Forwarding Router Address - Next hop IP address: 100.100.7.1 - Cost: 1 - Distance: 1
Step 6 Click Save Settings.
In the second step illustrated below:
Step 1 Expand Static Default Gateway.
Step 2 Click the + (plus sign) to create a new static default gateway.
Step 3 Enter the following information to create the INET route.
Destination IP address: Default Gateway IP
Default Gateway IP: gateway IP of INET circuit
Cost: 1
Step 4 Click Save Settings.
Configure VPNC Devices
After the group level configuration is complete, assign device-level configurations. This section walks through the remaining configuration, which is unique to each VPNC. The procedure is provided for one VPNC, but it must be repeated for the second VPNC in the group. Since the devices were moved to the group using preprovisioning, this configuration is completed before the gateways come online.
Assign a VPNC Device to a Group and Site
This step should have been completed in the Preparing to Deploy Aruba SD-Branch chapter. If it was not, refer to the procedure here.
Configure VPNC Device
This procedure is illustrated for one VPNC, but must be repeated for the second VPNC in the group. Because the devices were moved to the group using preprovisioning, this configuration can be complete before the device comes online.
Step 1 Go to the VPNC-RSVDC Group.
Step 2 On the left menu, select Devices.
Step 3 In the gateway list, select the first gateway to configure. Correlate the system-mac to the device to select.
Step 4 In the left navigation pane, select Device.
Step 5 In the guided setup window, click Cancel, then click EXIT.
Configure Hostname
Use this procedure to configure the hostname on the gateway.
Step 1 Go to the Gateway configuration and click Basic Mode.
Step 2 Select System > Hostname.
Step 3 Enter the Hostname.
Step 4 Click Save Settings.
Configure the System IP for the VPNC Device
Use this procedure to define the system IP address the gateway will use for network services. Ensure that Basic Mode is still selected.
Step 1 Select System > System IP.
Step 2 In the VLAN Interface box, select the VLAN 2085.
Step 3 Click Save Settings.
Assign IP Addresses to the VLANs
Step 1 Select the LAN tab, and select VLANs.
Step 2 In the VLANs table, select the VLAN to update, then click the edit (pencil) icon.
Step 3 In the VLAN window, assign the following settings, then click Save. (These settings are for the first VPNC.)
VLAN Name | VLAN ID | IP Address | NetMask |
---|---|---|---|
OSPF_LAN_UPLINK_1 | 2001 | 172.18.106.18 | 255.255.255.252 |
OSPF_LAN_UPLINK_2 | 2002 | 172.18.106.26 | 255.255.255.252 |
MPLS | 2086 | 100.100.7.5 | 255.255.255.240 |
INET | 2084 | X.X.X.X | X.X.X.X |
Step 4 Repeat steps 3 to 4 for each additional LAN uplink VLANs. The final configuration should look like the image below.
Configure the WAN Ports
In this procedure, configure the WAN uplinks and map them to the VLANs.
Step 1 Go to the WAN tab in Basic Mode.
Step 2 In the Uplinks table, click the + (plus sign).
Step 3 In the Add/Edit Uplink window, enter an uplink Name and select the uplink VLAN.
Note: If WAN type is set to Internet, enter a public IP address or use a private address and configure 1:1 NAT translation on the internet edge firewall. If WAN type is set to MPLS, the uplink name must match between the VPNC and BGW to enable automated tunnel orchestration between gateways.
Note: While this example uses the name MPLS for the uplink, it is common to use a provider name to represent the private transport.
Onboard VPNC to Central
Static Provisioning (One Touch Provisioning)
The VPNCs in this deployment do not receive a DHCP address from any of their WAN connections, meaning they cannot communicate with Central. To register these devices with Central, One Touch Provisioning must be used. This step can be skipped if the gateways will connect to a device that assigns them a DHCP address and Internet access.
Step 1 Using the VPNC console port and a terminal, enter the settings below connect to the gateway.
- Baud rate: 9600
- Data bits: 8
- Parity: None
- Stop bits: 1
- Flow control: None
Step 2 Select the static-activate option from the menu and follow the prompt to configure the WAN connection manually.
Note: To bring up a Gateway using DHCP, see the “Configuring the Branch Gateway” section.