Link Search Menu Expand Document
calendar_month 07-Mar-24

Aruba VPNC Group Configuration

The VPNC is configured in two steps. First, the group level configuration includes all the common configurations such as NTP, DNS, and OSPF area. A majority of the configuration is performed at the group level. After the group is configured, device level configuration can be applied. Device level configuration includes entering device-specific information such as IP addresses, hostnames, etc.

Table of contents

Configure the VPNC Group

This procedure configures groups for VPNCs.

Step 1 In the Global filter dropdown, search or select the VPNC-RSVDC group.

Select Group

Step 2 On the left navigation pane, in the Manage section, select Devices.

Select Devices

Step 3 Select the Gateways tab, then click the Config (gear) icon in the upper right corner.

Select Gateway

Step 4 Click Cancel, then click Exit.

Guided_Setup

Select the Hardware Model for the VPNC Group

Only one VPNC gateway model can be assigned for each group.

Step 1 On the Gateways tab, in the System section, select Model.

Step 2 In the VPNC Model dropdown, select the hardware model for the VPNC gateway group; for example: A9240.

Step 3 Use the toggle to disable Automatic Group Clustering, since clustering assigned at the site level.

Note: Clustering is required for MicroBranch and can be left enabled if needed. Exercise caution since other devices brought into the group are clustered.

hardware_selection

Step 4 Click Save Settings in the bottom right corner.

Set the VPNC Group System Time Parameters

Use this procedure to set the network time protocol (NTP) parameters and time zone to keep the VPNC clocks synchronized.

Step 1 On the Gateways tab, in the System section, select Time.

Step 2 In the Public NTP Servers table, click the + (plus sign) to add a public NTP server.

Setting_NTP

Step 3 In the IPv4 Address/FQDN column, enter pool.ntp.org or other NTP server address.

Step 4 Check Burst Mode if this feature is supported by the NTP server. Burst mode provides faster time synchronization.

configuring_NTP

Step 5 In the Timezone dropdown, choose the appropriate time zone, then click Save Settings.

Timezone

Select a DNS Server for the VPNC Gateway

Specify the DNS server(s) the VPNC gateway uses to communicate with Central.

Step 1 On the Gateways tab, in the System section, select DNS.

Step 2 Select Specify DNS servers.

Step 3 In the Domain name text box, enter a domain name; for example: example.local.

Step 4 In the Public DNS Servers table, click the + (plus sign) to assign a public DNS server. For a virtual gateway VPNC, leave the default DNS provided by the cloud provider and go to step 6.

Step 5 In the Provider dropdown, select one of the listed providers, or select Alternate DNS if the desired server is not in the list.

Step 6 Click Save Settings.

Configuring_DNS

Note: The gateway uses this DNS server for DNS lookups. Clients do not use this DNS server.

Create a Management User Account

Create a management user account for CLI to access the gateways.

Step 1 On the Gateways tab, in the System section, select Management User.

Step 2 In the Local management users table, click the + (plus sign).

Add_MGMT_User

Step 3 In the Add Management User table, assign the following settings, then click Save.

  • Name: admin
  • Password: password
  • Retype Password: password
  • Role: Super user role

MGMT_Name_PW

Note: You can add additional users with other roles as needed.

Step 4 Click Save Settings in the bottom right corner.

Create VLANs for Each Ethernet Port

Create five VLANs on the VPNCs including one each for WAN type of MPLS and Internet, and two for the LAN connections and OSPF peering to the campus infrastructure. The Gateway Pool VLAN is for the gateway’s System IP address, configured for auto assignment.

Step 1 On the right side, click Advanced mode.

Step 2 Go to Interface, then select VLANs.

Step 3 In the VLANs table, click the + (plus sign).

Step 4 In the New VLAN window, configure the following VLANs, and click Save Settings.

VLAN NameVLAN ID
MPLS2086
INET2084
GATEWAY_POOL2085
OSPF_LAN_UPLINK_12001
OSPF_LAN_UPLINK_22002

Note: VLANs 4080 and above are reserved. If these VLANs must be used, contact Aruba support.

Creating_VLAN

Step 5 Verify the VLAN information in the summary table, then click Save Settings in the bottom right corner.

Complete_VLAN_List

Step 6 Configure the following settings on each VLAN in the IP Address Assignment section.

InterfaceEnable RoutingIP AssignmentNAT Outside
MPLSCheckedStatic 
INETCheckedStaticChecked
GATEWAY_POOLCheckedGateway Pool 
OSPF_LAN_UPLINK_1CheckedStatic 
OSPF_LAN_UPLINK_2CheckedStatic 

Caution: DO NOT enable NAT on the OSPF_LAN_UPLINK, MPLS, or Gateway Pool VLANs.

Enable_Routing

Step 8 Enable OSPF for the Gateway Pool, OSPF_LAN_Uplink_1, and OSPF_LAN_Uplink_2 VLANs.

  • Select the OSPF_LAN_UPLINK_1.
  • Enable OSPF.
  • Enter the OSPF area: 0.0.0.0.
  • Click Save Settings.
  • Repeat these steps for the OSPF_LAN_Uplink_2 and Gateway Pool VLANs.

Enable_OSPF

Enable OSPF Globally

Although OSPF has been enabled for the VLAN, it is not enabled globally. The following procedure enables OSPF globally so the interfaces can participate in OSPF.

Step 1 On the Gateway tab in Advanced Mode, go to Routing > OSPF.

Step 2 Enable the OSPF toggle.

Step 3 Enter the Area ID: 0.0.0.0.

Enabling OSPF

Define the Gateway Pool

In the previous sections, the Gateway Pool VLAN was defined. However, it was not configured as a Gateway Pool. This procedure completes the Gateway Pool configuration, which automatically assigns Gateway IP Addresses.

Step 1 In Advanced Mode, go to Interface and select Pool Management. Expand the Gateway Pool option.

Step 1 Select the + (plus sign) to create a Gateway Pool.

Nav_Gateway_Pool

Step 3 Enter the pool of IP Addresses for the Gateway Pool.

  1. Enter the Start IP address: 10.0.6.111.

  2. Enter the End IP address: 10.0.6.120.

  3. Click Save Settings.

Gateway_Pool_Config

Step 4 Go to Interface > VLANs.

Nav_VLAN_List

Step 5 Select the Gateway Pool VLAN.

  • Set the IP Assignment to Gateway Pool.
  • Set the VLAN Pool to Gateway Pool.
  • Click Save Settings

Applying Gateway Pool

Step 6 Go to System > General.

Step 7 Expand the System IP Address and select VLAN 2085 (the Gateway Pool VLAN).

Set System IP

Step 8 Click Save Settings

Assign the VLANs to the LAN Ports

After each VLAN is configured appropriately, the VLANs must be assigned to the correct ports.

Later in this guide, the VPNC is set up for One Touch Provisioning, so it is important to assign the correct port layout.

Step 1 Go to Gateways > Config. On the right side, click Advanced mode.

Step 2 Go to Interface > Ports.

Step 3 In the LAN ports/port channel table, click the + (plus sign).

Step 4 Select all the ports to be used. This example uses Ports Ge 0/0/0 - Ge 0/0/3.

Selecting Ports

Step 5 Configure the Interface Type, VLAN ID and Description, and LLDP on each port, as shown below.

Port IDInterface TypeVLAN IDDescription
Ge 0/0/0LAN2001OSPF_LAN_UPLINK_1
Ge 0/0/1LAN2002OSPF_LAN_UPLINK_2
Ge 0/0/2WAN2086MPLS
Ge 0/0/3WAN2084INET

Note: Before registering an appliance with Central, interface Ge 0/0/1 can be reserved for One Touch Provisioning. Do not use this interface as a WAN port if DHCP addressing is required (such as an Internet circuit).

Configuring Interfaces

Step 6 Verify the port information in the summary table.

VPNC_Verify_Ports

Enable Tunnel Orchestrator Peering

In this procedure, the SD-WAN overlay orchestrator is enabled to automate establishing tunnels.

Step 1 On the Gateways tab in Basic Mode, go to Tunnels & Routing and select SD-WAN Overlay.

Note: In Advanced Mode, go to VPN > SD-WAN Overlay and switch the overlay mode to orchestrated.

Step 2 Click Overlay Orchestrator Peering, then click Save Settings.

Enable Overlay Orchestration

Configure Route Filtering

The VPNC filters out all point-to-point routes, 172.18.X.X/16, from the campus. This procedure creates a prefix list and a route map to accomplish the filtering.

Step 1 On the Gateways tab in Basic Mode, go to Tunnels & Routing and select Route Maps.

Step 2 Click the Prefix List dropdown, then click the + (plus sign) to create a new prefix list.

Step 3 Enter the following settings for the Point-To-Point prefix list.

  • Name: PTP
  • Sequence: 10
  • Action: Deny
  • Address: 172.18.96.0
  • Mask: 255.255.224.0
  • GE: 29

Step 4 Click the + (plus sign) to create a new prefix list. Enter the following settings for a Catch all prefix list.

  • Name: ANY
  • Sequence: 20
  • Action: Permit
  • Address: 0.0.0.0
  • Mask: 0.0.0.0
  • LE: 32

Step 5 Click Save Settings.

Note: The LE and GE configurations are required to enable filtering or allow fewer specific prefixes. In this example, the point-to-point prefix list matches only network 172.18.96.0/19. It would not match the more specific route of 172.18.96.8/30.

Configure Prefix List

Step 6 Expand the Route Map dropdown, and click the + (plus sign) to create a new route map.

Step 7 Enter the following settings for the route map.

  • Name: Block_PTP
  • Sequence Number: 10
  • Action: Permit

Step 8 In the Match box, click the + (plus sign) to add a match.

Step 9 Set the type to IP Address and set the value to the PTP Prefix list.

Step 10 Click the + (plus sign) to add another match. Set the type to IP Address and set the value to the ANY Prefix list.

Step 11 Click Save, then click Save Settings.

Creating Route Map

Configure the Overlay Routing

Use this procedure to redistribute OSPF routes into the overlay so branches can reach corporate prefixes. Aruba SD-WAN automatically translates route costs between the overlay and data center to ensure symmetry.

Step 1 On the Gateways tab, in the Tunnels & Routing section, select Overlay Routing.

Step 2 On the Overlay Routing page, expand Redistribution to display the redistribution table.

Step 3 In the Redistribution table, click the + (plus sign) to create a new redistribution rule.

Step 4 In the Source Protocol dropdown, select OSPF. Static, connected, and BGP routes also are supported, though not shown in this example.

Step 5 In the Filter dropdown, select Intra Area, depending on the OSPF routes to be redistributed. Other options can be selected.

Step 6 In the Route Map dropdown, select the Block_PTP route map created in the previous procedure.

Step 7 Click Save Settings.

Redistribute Routes

Redistribute SD-WAN Routes

Step 1 In Advanced Mode, select the Routing tab.

Step 2 Select OSPF.

Step 3 Select Redistribution and click the + (plus sign).

Step 4 Select the source protocol SDWAN Overlay. Select the Route Type E1 and set the Cost; in this case: 100.

Step 5 Click Save Settings in the bottom right corner. Redistribute overlay to OSPF

Configure Aggregation Routes

This procedure uses the DC aggregation routes to summarize the 10.X.X.X addresses in the campus into one summary address. The VPNC advertises the summary route 10.0.0.0/13 to each Branch Gateway. This is optional; however, it is recommended to summarize as much as possible to protect the route table size.

Step 1 On the Gateways tab, in the SDWAN & Routing section, select Overlay Routing.

Step 2 On the Overlay Routing page, expand Data Center Aggregate Routes to display the DC Aggregate Routes table.

Step 3 Uncheck Allow branch to branch. If selected, the VPNC becomes a transit site allowing branches to communicate through the VPNC. This is typically unwanted if all applications are centralized at the data center.

Step 4 In the DC Aggregate Routes table, click the + (plus sign) to create a new aggregate route. In this example, the 10.0.0.0/13 summary is used to summarize the corporate address space.

Step 5 In the IP Address column, enter 10.0.0.0, and in the Mask column, enter 255.248.0.0.

Step 6 Click Save Settings. DC Aggregate

Configure Static Routes

This procedure configures The VPNC gateways with the routes needed to form IPSEC tunnels over the INET and MPLS transports. The INET route is provided via a static default-gateway and the MPLS route is provided via a static route. In this example, the MPLS network can be summarized with the 100.100.7.0/24 prefix. These routes are applied at the group level, since they are the same for all gateways in the group; however, they could be applied at the device level if the next-hops differ. BGP also can be configured on the MPLS circuit to provide these routes, if desired. While the default gateway is configured as part of the OTP process of the gateway, also configure it at the group level.

In the first step illustrated below:

Step 1 In Advanced Mode select the Routing tab.

Step 2 Select IP Routes.

Step 3 Expand IP Routes.

Step 4 Click the + (plus sign) to create a new static route.

Step 5 Enter the following information to create the MPLS route. - Destination IP address: 100.100.7.0 - Destination network mask: 24 - Forwarding settings: *Use Forwarding Router Address - Next hop IP address: 100.100.7.1 - Cost: 1 - Distance: 1

Step 6 Click Save Settings.

VPNC Static Route

In the second step illustrated below:

Step 1 Expand Static Default Gateway.

Step 2 Click the + (plus sign) to create a new static default gateway.

Step 3 Enter the following information to create the INET route.

  • Destination IP address: Default Gateway IP

  • Default Gateway IP: gateway IP of INET circuit

  • Cost: 1

Step 4 Click Save Settings.

VPNC Default Gateway

Configure VPNC Devices

After the group level configuration is complete, assign device-level configurations. This section walks through the remaining configuration, which is unique to each VPNC. The procedure is provided for one VPNC, but it must be repeated for the second VPNC in the group. Since the devices were moved to the group using preprovisioning, this configuration is completed before the gateways come online.

Assign a VPNC Device to a Group and Site

This step should have been completed in the Preparing to Deploy Aruba SD-Branch chapter. If it was not, refer to the procedure here.

Configure VPNC Device

This procedure is illustrated for one VPNC, but must be repeated for the second VPNC in the group. Because the devices were moved to the group using preprovisioning, this configuration can be complete before the device comes online.

Step 1 Go to the VPNC-RSVDC Group.

VPNC Select Group

Step 2 On the left menu, select Devices.

VPNC Select Device

Step 3 In the gateway list, select the first gateway to configure. Correlate the system-mac to the device to select.

VPNC Select Group

Step 4 In the left navigation pane, select Device.

VPNC Select Device 2

Step 5 In the guided setup window, click Cancel, then click EXIT.

VPNC Cancel Guided Setup

Configure Hostname

Use this procedure to configure the hostname on the gateway.

Step 1 Go to the Gateway configuration and click Basic Mode.

Step 2 Select System > Hostname.

Step 3 Enter the Hostname.

Step 4 Click Save Settings.

Configure Hostname

Configure the System IP for the VPNC Device

Use this procedure to define the system IP address the gateway will use for network services. Ensure that Basic Mode is still selected.

Step 1 Select System > System IP.

Step 2 In the VLAN Interface box, select the VLAN 2085.

Step 3 Click Save Settings. Changing System IP

Assign IP Addresses to the VLANs

Step 1 Select the LAN tab, and select VLANs.

Step 2 In the VLANs table, select the VLAN to update, then click the edit (pencil) icon.

Step 3 In the VLAN window, assign the following settings, then click Save. (These settings are for the first VPNC.)

VLAN NameVLAN IDIP AddressNetMask
OSPF_LAN_UPLINK_12001172.18.106.18255.255.255.252
OSPF_LAN_UPLINK_22002172.18.106.26255.255.255.252
MPLS2086100.100.7.5255.255.255.240
INET2084X.X.X.XX.X.X.X

Configuring IP address

Step 4 Repeat steps 3 to 4 for each additional LAN uplink VLANs. The final configuration should look like the image below.

Final VLAN configuration

Configure the WAN Ports

In this procedure, configure the WAN uplinks and map them to the VLANs.

Step 1 Go to the WAN tab in Basic Mode.

Step 2 In the Uplinks table, click the + (plus sign).

Step 3 In the Add/Edit Uplink window, enter an uplink Name and select the uplink VLAN.

Note: If WAN type is set to Internet, enter a public IP address or use a private address and configure 1:1 NAT translation on the internet edge firewall. If WAN type is set to MPLS, the uplink name must match between the VPNC and BGW to enable automated tunnel orchestration between gateways.

Configuring WAN UPLINK

Note: While this example uses the name MPLS for the uplink, it is common to use a provider name to represent the private transport.

Onboard VPNC to Central

Static Provisioning (One Touch Provisioning)

The VPNCs in this deployment do not receive a DHCP address from any of their WAN connections, meaning they cannot communicate with Central. To register these devices with Central, One Touch Provisioning must be used. This step can be skipped if the gateways will connect to a device that assigns them a DHCP address and Internet access.

Step 1 Using the VPNC console port and a terminal, enter the settings below connect to the gateway.

  • Baud rate: 9600
  • Data bits: 8
  • Parity: None
  • Stop bits: 1
  • Flow control: None

Step 2 Select the static-activate option from the menu and follow the prompt to configure the WAN connection manually.

Static-Activate

Note: To bring up a Gateway using DHCP, see the “Configuring the Branch Gateway” section.


Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.