Link Search Menu Expand Document
calendar_month 07-Mar-24

Gateway Pre-Configuration

This section demonstrates configuring a gateway using pre-configuration. Pre-configuration uses a YAML file loaded into Orchestrator to configure gateways, as an alternative to using the configuration wizard to onboard gateways.

Pre-Configuration allows admins to configure devices before they are discovered in the Orchestrator.

The first section of this guide walks through the configuration of the Boise branch using pre-configuration. The Chicago site configuration differences are shown as well to demonstrate how to configure Edge-HA using a pre-configuration file.

  • See the sanitized Boise configuration file here

  • See the sanitized Chicago configuration file here

Table of contents

Note: For pre-configuration, the Orchestrator must be configured. Follow the steps in the “Preparing to Deploy Section” before following the pre-configuration steps below.

Building Non Redundant Branch Configuration

Using a text editor is the best method of building a configuration file that can be applied to devices. For additional details on Orchestrator configuration items not included in this guide, go to Configuration > Preconfigure Appliances and click New. The instructions on configuration and describe how to use the options.

Base Appliance Settings

Configure the Base Appliance settings, Hostname, Group, Software, Site Name, Location, Licensing, and Contact Information. When setting the group for the appliance, the group name must match the groups configured in Orchestrator. Be sure that the network role is set as a “Non-Hub” for all branches.

InputBoise-Branch
ApplianceBOIBR-ECE-1
GroupBranch
Site NameBoise-Branch
Contact NameAruba TME
Contact EmailAruba-solution-tme-licenses@hpe.com
Address12601 W Explorer Dr
CityBosie
StateIdaho
Zip Code83713
LicenseUnlimited
applianceInfo:
  softwareVersion: 9.3.0.0_95721
  hostname: BOIBR-ECE1
  group: Branch
  site: Boise-Branch	
  networkRole: non-hub
  region:
  location:
    address: 12601 W Explorer Dr	
    address2:
    city: Bosie
    state: Idaho	
    zipCode: 83713
    country: US
  contact:
    name: Aruba TME
    email: Aruba-solution-tme-licenses@hpe.com
    phoneNumber: 
ecLicensing:
  useDefaultAccount: true
  bandwidthLevel: unlimited

Orchestration Settings

The following settings first set the template group configuration, that determines which template setting in the “Configuring template” section are applied. In this example, there is only one template group. Second, the business intent overlay section defines which overlays are configured on the gateway.

If the template group is missing, the template configuration is not applied to the device. Similarly, If the overlays are missing from the template, the gateway does not build tunnels to its peers. The gateway does not default to either of these settings.

  
templateGroups:
  groups:
    - Default Template Group
  
businessIntentOverlays:
    overlays:
      - RealTime
      - CriticalApps
      - BulkApps
      - DefaultOverlay

Interfaces Settings

The following section demonstrates how to configure the WAN/LAN interfaces. All interface configuration is using the “Deployment Info” key. The key also requires entry of the total inbound/outbound bandwidth for the WAN interfaces.

When configuring LAN sub interfaces, note that there is no key value pair to identify the VLAN. The VLAN is identified in the interface name (after the dot). For example lan0.101 specifies that the sub interface is tagged with VLAN 101. When applying labels, segments, and zones, ensure that they are spelled exactly the same as they are configured in Orchestrator. WAN interfaces are slightly different and require entry of upload/download speed, Firewall mode and NAT mode. If the WAN interfaces use DHCP, do not enter the IP address and next hop.

VLAN IDLabelFW ZoneSegmentBOIBR-ECE1 IP Address
100MGMT VLANLANDefault10.14.48.1/24
101EmployeeLANDefault10.14.49.1/24
102CameraLANDefault10.14.50.1/24
103IOTIOTDefault10.14.51.1/24
104GuestDefaultguest10.14.52.1/24
105RejectLANDefault10.14.53.1/24
106CriticalLANDefault10.14.54.1/24
107QuarantineDefaultquarantine10.14.55.1/24
MPLS1WANDefault100.100.7.66/29 (NH 100.100.7.65)
INET1WANDefaultDHCP
deploymentInfo:
  deploymentMode: inline-router
  totalOutboundBandwidth: 30000
  totalInboundBandwidth: 110000
  shapeInboundTraffic: true
  ipsecUdpPort: 12000
  passThroughShapedTraffic:
    outboundMaxBandwidth: 110000
  deploymentInterfaces:
      - interfaceName: lan0
        interfaceLabel: MGMT
        interfaceType: lan
        interfaceComment: lan interface
        ipAddressMask: 10.14.48.1/24
        segment: Default
        zone: LAN

      - interfaceName: lan0.101
        interfaceLabel: EMPLOYEE
        interfaceType: lan
        interfaceComment: lan interface
        ipAddressMask: 10.14.49.1/24
        segment: Default
        zone: LAN

      - interfaceName: lan0.102
        interfaceLabel: CAMERA
        interfaceType: lan
        interfaceComment: lan interface
        ipAddressMask: 10.14.50.1/24	
        segment: Default
        zone: LAN

      - interfaceName: lan0.103
        interfaceLabel: IOT
        interfaceType: lan
        interfaceComment: lan interface
        ipAddressMask: 10.14.51.1/24	
        segment: Default
        zone: LAN

      - interfaceName: lan0.104
        interfaceLabel: GUEST
        interfaceType: lan
        interfaceComment: lan interface
        ipAddressMask: 10.14.52.1/24	
        segment: guest

      - interfaceName: lan0.105
        interfaceLabel: REJECT
        interfaceType: lan
        interfaceComment: lan interface
        ipAddressMask: 10.14.53.1/24	
        segment: Default
        zone: LAN

      - interfaceName: lan0.106
        interfaceLabel: CRITICAL
        interfaceType: lan
        interfaceComment: lan interface
        ipAddressMask: 10.14.54.1/24	
        segment: Default
        zone: LAN

      - interfaceName: lan0.107
        interfaceLabel: QUARANTINE
        interfaceType: lan
        interfaceComment: lan interface
        ipAddressMask: 10.14.55.1/24	
        segment: quarantine

      - interfaceName: wan0
        interfaceLabel: INET1
        interfaceType: wan
        interfaceComment: INET DHCP 
        ipAddressMask: 
        nextHop: 
        outboundMaxBandwidth: 100000
        inboundMaxBandwidth: 25000
        firewallMode: statefulSNAT
        behindNat: none
        zone: WAN

      - interfaceName: wan1
        interfaceLabel: MPLS1
        interfaceType: wan
        interfaceComment: MPLS
        ipAddressMask: 100.100.7.66/29	
        nextHop: 100.100.7.65	
        outboundMaxBandwidth: 10000
        inboundMaxBandwidth: 5000
        firewallMode: statefulSNAT
        behindNat: none
        zone: WAN

DHCP Settings

The following configuration displays how to configure DHCP relay and a local DHCP server. For simplicity, not all LAN interfaces are displayed. Lan0.106 is the critical auth VLAN that requires a local DHCP server. See the difference in the configuration below.

  dhcpInfo:
    - dhcpInterfaceName: lan0
      dhcpType: relay
      dhcpProxyServers:
        - 10.2.120.99
        - 10.2.120.98
    
    - dhcpInterfaceName: lan0.101
      dhcpType: relay
      dhcpProxyServers:
        - 10.2.120.99
        - 10.2.120.98
...
        
    - dhcpInterfaceName: lan0.106
      dhcpType: server
      dhcpAddressMask: 10.14.54.0/24
      startIpAddress: 10.14.54.10
      endIpAddress: 10.14.54.200
      gatewayIpAddress: 10.14.54.1
      dnsServers:
        - 8.8.4.4
        - 8.8.8.8
      maximumLease: 24
      defaultLease: 24

    - dhcpInterfaceName: lan0.107
      dhcpType: relay
      dhcpProxyServers:
        - 10.2.120.99
        - 10.2.120.98

Route Settings

The following configuration shows how to configure a summary route for the site. The top level determines if subnets are shared within the fabric. In addition to sharing within the fabric, the “advertiseLocalLanSubnets” and “advertiseLocalWanSubnets” determine if subnets are shared automatically. Best practice is to summarize routes so they will not be used for sharing. To create a summary route, enter a route, remove the next hop key, then set the advertise value to “true”.

localRoutes:
  useSharedSubnetInfo: true
  advertiseLocalLanSubnets: false
  advertiseLocalWanSubnets: false
  localMetric: 50
  redistToSDwanFabricRouteMap: "default_rtmap_to_subsh"

  routes:
    - routeIpSubnet: 10.14.48.0/21
      interfaceName: lan0
      metric: 50
      advertise: true
      advertiseToBgp: false
      advertiseToOspf: false
      tag: ANY
      zone:
      comment: Site summary route

Configuring the Redundant Site

The redundant site has all the configuration displayed above in addition to Edge HA, DHCP HA, VRRP, and IP SLAs . This section uses the Chicago branch site as an example for configuration. The IP ranges and inputs used for the Chicago branch site are shown below.

InputChicago-Branch
ApplianceCHIBR-ECE-1/CHIBR-ECE-2
GroupBranch
Site NameChicago-Branch
Contact NameAruba TME
Contact EmailAruba-solution-tme-licenses@hpe.com
Address303 E Wacker Dr Suite 2700
CityChicago
StateIllinois
Zip Code60601
VLAN IDLabelFW ZoneSegmentCHIBR-ECE-1 IP AddressCHIBR-ECE-2 IP Address
100MGMT VLANLANDefault10.14.32.2/2410.14.32.3/24
101EmployeeLANDefault10.14.33.3/2410.14.33.3/24
102CameraLANDefault10.14.34.3/2410.14.34.3/24
103IOTIOTDefault10.14.35.3/2410.14.35.3/24
104GuestDefaultguest10.14.36.3/2410.14.36.3/24
105RejectLANDefault10.14.37.3/2410.14.37.3/24
106CriticalLANDefault10.14.38.3/2410.14.38.3/24
107QuarantineDefaultquarantine10.14.39.3/2410.14.39.3/24
MPLS1WANDefault100.100.7.50/29 (NH 100.100.7.49)
INET1WANDefaultDHCP

Summary Address: 10.14.32.0/21

Default Gateway: A VRRP Virtual IP address of 10.14.X.1 for each VLAN.

Edge HA Settings

Edge HA enables a site to share WAN uplinks between one another using a dedicated LAN connection. When configuring Edge HA, check the following reconfiguration options:

Edge HA Configuration Location: The Edge HA configuration must be nested under the “deployment info” at the same level as the “deploymentInterfaces”.

UDP Port: The UDP Port must be unique for each Edge HA Peer.

WAN Interfaces: All WAN interfaces for both peers should be listed under haInterfaceOrder, separated by a comma.

Peer Information: Serial, Inbound/Outbound Bandwidth, and interface label values are required to configure the peer.

Chicago ECE 1 HA Configuration

deploymentInfo:
  deploymentMode: inline-router
  totalOutboundBandwidth: 25000
  totalInboundBandwidth: 100000
  shapeInboundTraffic: true
  ipsecUdpPort: 12010
 	passThroughShapedTraffic:
    outboundMaxBandwidth: 25000 
  deploymentInterfaces:
      ...
    - interfaceName: lan1.107
      interfaceLabel: QUARANTINE
      interfaceType: lan
      interfaceComment: lan interface
      ipAddressMask: 10.14.39.2/24		
      segment: quarantine

    - interfaceName: wan0
      interfaceLabel: INET1
      interfaceType: wan
      interfaceComment: wan interface
      ipAddressMask: 
      nextHop: 
      outboundMaxBandwidth: 100000
      inboundMaxBandwidth: 25000
      firewallMode: statefulSNAT
      behindNat: auto
      zone: WAN
      
  haConfig:
    haPeerSerial: 001BBC1E20C4
    haIpPool: 169.254.1.0/24
    haSubnetMask: 30
    haVlanStart: 4000
    haInterface: lan0
    haInterfaceOrder: MPLS1,INET1
    haPeerInterfaceInfo:
    - interfaceLabel: MPLS1
      outbound: 10000
      inbound: 5000
      segment: Default
      zone: WAN

Chicago ECE 2 HA Configuration

deploymentInfo:
  deploymentMode: inline-router
  totalOutboundBandwidth: 25000
  totalInboundBandwidth: 100000
  shapeInboundTraffic: true
  ipsecUdpPort: 12020
  passThroughShapedTraffic:
    outboundMaxBandwidth: 100000
    
...
    - interfaceName: lan1.107
      interfaceLabel: QUARANTINE
      interfaceType: lan
      interfaceComment: lan interface
      ipAddressMask: 10.14.39.3/24		
      segment: quarantine

    - interfaceName: wan1
      interfaceLabel: MPLS1
      interfaceType: wan
      interfaceComment: wan interface
      ipAddressMask: 100.100.7.50/29
      nextHop: 100.100.7.49
      outboundMaxBandwidth: 10000
      inboundMaxBandwidth: 5000
      firewallMode: statefulSNAT
      behindNat: auto
      zone: WAN
      
  haConfig:
    haPeerSerial: 001BBC1E164A
    haIpPool: 169.254.1.0/24
    haSubnetMask: 30
    haVlanStart: 4000
    haInterface: lan0
    haInterfaceOrder: MPLS1,INET1
    haPeerInterfaceInfo:
    - interfaceLabel: INET1
      outbound: 100000
      inbound: 25000
      segment: Default
      zone:

DHCP HA Settings

DHCP HA allows one of the gateways to take over as a DHCP server in case of failure. This should be configured in the same stanza as the “dhcpInfo” stanza. Use the management IPs for each gateway as the source/destination IP addresses. The example below shows the configuration for CHI-ECE-1. The IP address and peer IP address fields should be swapped on CHI-ECE-2.

dhcpInfo:
	
	....
    - dhcpInterfaceName: lan1.106
      dhcpType: server
      dhcpAddressMask: 10.14.38.0/24
      startIpAddress:  10.14.38.10
      endIpAddress:  10.14.38.200
      gatewayIpAddress:  10.14.38.1
      dnsServers:
        - 8.8.4.4
        - 8.8.8.8
      maximumLease: 24
      defaultLease: 24

    - dhcpInterfaceName: lan1.107
      dhcpType: relay
      dhcpProxyServers:
        - 10.2.120.99
        - 10.2.120.98
      dhcpHA:
        dhcpFailoverRole: primary
        ipAddress: 10.14.32.2
        ipAddressPort: 647
        peerIpAddress: 10.14.32.3
        peerIpAddressPort: 647
        mclt: 3600
        split: 128
        maxResponseDelay: 10
        maxUnackedUpdates: 10
        loadBalanceMaxSeconds: 5

VRRP Settings

The configuration for VRRP on the CHI-ECE-1 template is shown below. This configuration should be the the same on CHI-ECE-2, with the priority setting as the only difference. On CHI-ECE-2 the priority, should be lower than CHI-ECE-1.

Caution: Ensure that devices and Orchestrator are on the same major version. For example: 9.2 Orchestrator and appliance or 9.3 Orchestrator and appliance.

vrrp:
  vrrpEntries:
    - groupId: 100
      interfaceName: lan1
      admin: Up
      virtualIpAddress: 10.14.32.1
      advertisementTimer: 1
      priority: 128
      version: 2
      preemption: true
      holddownTimer: 60
    - groupId: 101
      interfaceName: lan1.101
      admin: Up
      virtualIpAddress: 10.14.33.1
      advertisementTimer: 1
      priority: 128
      version: 2
      preemption: true
      holddownTimer: 60
    - groupId: 102
      interfaceName: lan1.102
      admin: Up
      virtualIpAddress: 10.14.34.1
      advertisementTimer: 1
      priority: 128
      version: 2
      preemption: true
      holddownTimer: 60
    - groupId: 103
      interfaceName: lan1.103
      admin: Up
      virtualIpAddress: 10.14.35.1
      advertisementTimer: 1
      priority: 128
      version: 2
      preemption: true
      holddownTimer: 60
    - groupId: 104
      interfaceName: lan1.104
      admin: Up
      virtualIpAddress: 10.14.36.1
      advertisementTimer: 1
      priority: 128
      version: 2
      preemption: true
      holddownTimer: 60
    - groupId: 105
      interfaceName: lan1.105
      admin: Up
      virtualIpAddress: 10.14.37.1
      advertisementTimer: 1
      priority: 128
      version: 2
      preemption: true
      holddownTimer: 60
    - groupId: 106
      interfaceName: lan1.106
      admin: Up
      virtualIpAddress: 10.14.38.1
      advertisementTimer: 1
      priority: 128
      version: 2
      preemption: true
      holddownTimer: 60
    - groupId: 107
      interfaceName: lan1.107
      admin: Up
      virtualIpAddress: 10.14.39.1
      advertisementTimer: 1
      priority: 128
      version: 2
      preemption: true
      holddownTimer: 60

VRRP IP SLA Settings

To enable VRRP to swap dynamically between the peers, a IP SLA must be configured. The following example shows how to configure a VRRP SLA that can automatically increase or decrease the priority if one of the gateways goes down. This configuration is the same on both devices.

ipSlaRule:
  ruleEntries:
    - enable: true
      samplingInterval: 30
      comment: vrrp monitor
      ipslaMonitor:
        monitorType: vrrp
        interfaceName: lan1
      downAction:
        downActionType: decreaseVRRPPriority
        interfaceName: lan1
        priority: 100
      upAction:
        upActionType: increaseVRRPPriority
        interfaceName: lan1
        priority: 100
    - enable: true
      samplingInterval: 30
      comment: vrrp monitor
      ipslaMonitor:
        monitorType: vrrp
        interfaceName: lan1.101
      downAction:
        downActionType: decreaseVRRPPriority
        interfaceName: lan1.101
        priority: 100
      upAction:
        upActionType: increaseVRRPPriority
        interfaceName: lan1.101
        priority: 100
    - enable: true
      samplingInterval: 30
      comment: vrrp monitor
      ipslaMonitor:
        monitorType: vrrp
        interfaceName: lan1.102
      downAction:
        downActionType: decreaseVRRPPriority
        interfaceName: lan1.102
        priority: 100
      upAction:
        upActionType: increaseVRRPPriority
        interfaceName: lan1.102
        priority: 100
    - enable: true
      samplingInterval: 30
      comment: vrrp monitor
      ipslaMonitor:
        monitorType: vrrp
        interfaceName: lan1.103
      downAction:
        downActionType: decreaseVRRPPriority
        interfaceName: lan1.103
        priority: 100
      upAction:
        upActionType: increaseVRRPPriority
        interfaceName: lan1.103
        priority: 100
    - enable: true
      samplingInterval: 30
      comment: vrrp monitor
      ipslaMonitor:
        monitorType: vrrp
        interfaceName: lan1.104
      downAction:
        downActionType: decreaseVRRPPriority
        interfaceName: lan1.104
        priority: 100
      upAction:
        upActionType: increaseVRRPPriority
        interfaceName: lan1.104
        priority: 100
    - enable: true
      samplingInterval: 30
      comment: vrrp monitor
      ipslaMonitor:
        monitorType: vrrp
        interfaceName: lan1.105
      downAction:
        downActionType: decreaseVRRPPriority
        interfaceName: lan1.105
        priority: 100
      upAction:
        upActionType: increaseVRRPPriority
        interfaceName: lan1.105
        priority: 100
    - enable: true
      samplingInterval: 30
      comment: vrrp monitor
      ipslaMonitor:
        monitorType: vrrp
        interfaceName: lan1.106
      downAction:
        downActionType: decreaseVRRPPriority
        interfaceName: lan1.106
        priority: 100
      upAction:
        upActionType: increaseVRRPPriority
        interfaceName: lan1.106
        priority: 100
    - enable: true
      samplingInterval: 30
      comment: vrrp monitor
      ipslaMonitor:
        monitorType: vrrp
        interfaceName: lan1.107
      downAction:
        downActionType: decreaseVRRPPriority
        interfaceName: lan1.107
        priority: 100
      upAction:
        upActionType: increaseVRRPPriority
        interfaceName: lan1.107
        priority: 100

Applying the Configuration

In the previous sections, the configuration files were built for both the redundant and non-redundant sites. This section demonstrate how to load the configuration files into Orchestrator. These configuration files are used as a starting point for future gateways.

Loading Configuration

Orchestrator does not allow for placeholder configuration, so these files cannot be used as a “template”; however, the created configuration files can be used as a starting point for new devices by leaving the “Serial” field empty, indicating that the configuration does not apply to a device.

Step 1 Go to Configuration > Preconfigure Appliances.

Step 2 Click the New button on the top left.

Step 3 Erase the example configuration on the left side.

Step 4 Copy the “Standalone Boise” configuration into the window.

Step 5 Enter the name: Non_Redundant_Site.

2023-08-03_14-53-58-1100228

Step 6 Repeat Steps 2 to 5 for the other configurations using the following names.

  • Name: Internet_Only_Redundant_Site
  • Name: MPLS_Only_Redundant_Site

2023-08-03_15-00-40-1100236

Linking the Configuration to Gateways

After the configuration files are loaded, follow these steps to use them as a starting point for other gateways. In the previous step, the files were loaded but the Serial field was left blank.

The procedure below clones the starting file and uses the serial field to link devices to a configuration. The starting configuration files do not require changes since they were made for the devices to be onboarded. However, if another branch is introduced, these files should be adjusted for that device.

Step 1 Select the Non_Redundant_Site.

Step 2 Click the Clone From Existing button.

Step 3 Enter the device name
Name: BOIBR-ECE1

Step 4 Enter the serial of the gateway Serial: 001BBC1E1656

Step 5 Repeat Steps 1 to 4 entering the appropriate information for each gateway.

Note: The Auto Approve when Discovered checkbox can be checked, depending on the workflow for an organization.

2023-08-03_15-07-10

Discover Gateways and Apply Configuration

This section demonstrates how the configuration is applied to a device after it has been discovered.

Step 1 Click Appliances Discovered on the top right.

Step 2 In the list of appliances, click Approve.

Step 3 Click Skip in the upgrade window.

Step 4 Click Apply Pre-configuration.

Step 5 Click Close.

Step 6 Repeat Steps 2 to 5 for the other appliances.

2023-08-03_15-14-06

Verification

Ensure tunnels are up, Navigate to Configuration> Tunnels.

image-20230310151035505

image-20230803154454725

Ensure that the configuration is accurate, right click newly onboarded gateway and select deployment.

2023-08-08_10-16-50

2023-08-03_15-45-31

2023-08-03_15-46-11


Table of contents


Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.