Gateway Pre-Configuration
This section demonstrates configuring a gateway using pre-configuration. Pre-configuration uses a YAML file loaded into Orchestrator to configure gateways, as an alternative to using the configuration wizard to onboard gateways.
Pre-Configuration allows admins to configure devices before they are discovered in the Orchestrator.
The first section of this guide walks through the configuration of the Boise branch using pre-configuration. The Chicago site configuration differences are shown as well to demonstrate how to configure Edge-HA using a pre-configuration file.
Table of contents
Note: For pre-configuration, the Orchestrator must be configured. Follow the steps in the “Preparing to Deploy Section” before following the pre-configuration steps below.
Building Non Redundant Branch Configuration
Using a text editor is the best method of building a configuration file that can be applied to devices. For additional details on Orchestrator configuration items not included in this guide, go to Configuration > Preconfigure Appliances and click New. The instructions on configuration and describe how to use the options.
Base Appliance Settings
Configure the Base Appliance settings, Hostname, Group, Software, Site Name, Location, Licensing, and Contact Information. When setting the group for the appliance, the group name must match the groups configured in Orchestrator. Be sure that the network role is set as a “Non-Hub” for all branches.
Input | Boise-Branch |
---|---|
Appliance | BOIBR-ECE-1 |
Group | Branch |
Site Name | Boise-Branch |
Contact Name | Aruba TME |
Contact Email | Aruba-solution-tme-licenses@hpe.com |
Address | 12601 W Explorer Dr |
City | Bosie |
State | Idaho |
Zip Code | 83713 |
License | Unlimited |
applianceInfo:
softwareVersion: 9.3.0.0_95721
hostname: BOIBR-ECE1
group: Branch
site: Boise-Branch
networkRole: non-hub
region:
location:
address: 12601 W Explorer Dr
address2:
city: Bosie
state: Idaho
zipCode: 83713
country: US
contact:
name: Aruba TME
email: Aruba-solution-tme-licenses@hpe.com
phoneNumber:
ecLicensing:
useDefaultAccount: true
bandwidthLevel: unlimited
Orchestration Settings
The following settings first set the template group configuration, that determines which template setting in the “Configuring template” section are applied. In this example, there is only one template group. Second, the business intent overlay section defines which overlays are configured on the gateway.
If the template group is missing, the template configuration is not applied to the device. Similarly, If the overlays are missing from the template, the gateway does not build tunnels to its peers. The gateway does not default to either of these settings.
templateGroups:
groups:
- Default Template Group
businessIntentOverlays:
overlays:
- RealTime
- CriticalApps
- BulkApps
- DefaultOverlay
Interfaces Settings
The following section demonstrates how to configure the WAN/LAN interfaces. All interface configuration is using the “Deployment Info” key. The key also requires entry of the total inbound/outbound bandwidth for the WAN interfaces.
When configuring LAN sub interfaces, note that there is no key value pair to identify the VLAN. The VLAN is identified in the interface name (after the dot). For example lan0.101 specifies that the sub interface is tagged with VLAN 101. When applying labels, segments, and zones, ensure that they are spelled exactly the same as they are configured in Orchestrator. WAN interfaces are slightly different and require entry of upload/download speed, Firewall mode and NAT mode. If the WAN interfaces use DHCP, do not enter the IP address and next hop.
VLAN ID | Label | FW Zone | Segment | BOIBR-ECE1 IP Address |
---|---|---|---|---|
100 | MGMT VLAN | LAN | Default | 10.14.48.1/24 |
101 | Employee | LAN | Default | 10.14.49.1/24 |
102 | Camera | LAN | Default | 10.14.50.1/24 |
103 | IOT | IOT | Default | 10.14.51.1/24 |
104 | Guest | Default | guest | 10.14.52.1/24 |
105 | Reject | LAN | Default | 10.14.53.1/24 |
106 | Critical | LAN | Default | 10.14.54.1/24 |
107 | Quarantine | Default | quarantine | 10.14.55.1/24 |
— | MPLS1 | WAN | Default | 100.100.7.66/29 (NH 100.100.7.65) |
— | INET1 | WAN | Default | DHCP |
deploymentInfo:
deploymentMode: inline-router
totalOutboundBandwidth: 30000
totalInboundBandwidth: 110000
shapeInboundTraffic: true
ipsecUdpPort: 12000
passThroughShapedTraffic:
outboundMaxBandwidth: 110000
deploymentInterfaces:
- interfaceName: lan0
interfaceLabel: MGMT
interfaceType: lan
interfaceComment: lan interface
ipAddressMask: 10.14.48.1/24
segment: Default
zone: LAN
- interfaceName: lan0.101
interfaceLabel: EMPLOYEE
interfaceType: lan
interfaceComment: lan interface
ipAddressMask: 10.14.49.1/24
segment: Default
zone: LAN
- interfaceName: lan0.102
interfaceLabel: CAMERA
interfaceType: lan
interfaceComment: lan interface
ipAddressMask: 10.14.50.1/24
segment: Default
zone: LAN
- interfaceName: lan0.103
interfaceLabel: IOT
interfaceType: lan
interfaceComment: lan interface
ipAddressMask: 10.14.51.1/24
segment: Default
zone: LAN
- interfaceName: lan0.104
interfaceLabel: GUEST
interfaceType: lan
interfaceComment: lan interface
ipAddressMask: 10.14.52.1/24
segment: guest
- interfaceName: lan0.105
interfaceLabel: REJECT
interfaceType: lan
interfaceComment: lan interface
ipAddressMask: 10.14.53.1/24
segment: Default
zone: LAN
- interfaceName: lan0.106
interfaceLabel: CRITICAL
interfaceType: lan
interfaceComment: lan interface
ipAddressMask: 10.14.54.1/24
segment: Default
zone: LAN
- interfaceName: lan0.107
interfaceLabel: QUARANTINE
interfaceType: lan
interfaceComment: lan interface
ipAddressMask: 10.14.55.1/24
segment: quarantine
- interfaceName: wan0
interfaceLabel: INET1
interfaceType: wan
interfaceComment: INET DHCP
ipAddressMask:
nextHop:
outboundMaxBandwidth: 100000
inboundMaxBandwidth: 25000
firewallMode: statefulSNAT
behindNat: none
zone: WAN
- interfaceName: wan1
interfaceLabel: MPLS1
interfaceType: wan
interfaceComment: MPLS
ipAddressMask: 100.100.7.66/29
nextHop: 100.100.7.65
outboundMaxBandwidth: 10000
inboundMaxBandwidth: 5000
firewallMode: statefulSNAT
behindNat: none
zone: WAN
DHCP Settings
The following configuration displays how to configure DHCP relay and a local DHCP server. For simplicity, not all LAN interfaces are displayed. Lan0.106 is the critical auth VLAN that requires a local DHCP server. See the difference in the configuration below.
dhcpInfo:
- dhcpInterfaceName: lan0
dhcpType: relay
dhcpProxyServers:
- 10.2.120.99
- 10.2.120.98
- dhcpInterfaceName: lan0.101
dhcpType: relay
dhcpProxyServers:
- 10.2.120.99
- 10.2.120.98
...
- dhcpInterfaceName: lan0.106
dhcpType: server
dhcpAddressMask: 10.14.54.0/24
startIpAddress: 10.14.54.10
endIpAddress: 10.14.54.200
gatewayIpAddress: 10.14.54.1
dnsServers:
- 8.8.4.4
- 8.8.8.8
maximumLease: 24
defaultLease: 24
- dhcpInterfaceName: lan0.107
dhcpType: relay
dhcpProxyServers:
- 10.2.120.99
- 10.2.120.98
Route Settings
The following configuration shows how to configure a summary route for the site. The top level determines if subnets are shared within the fabric. In addition to sharing within the fabric, the “advertiseLocalLanSubnets” and “advertiseLocalWanSubnets” determine if subnets are shared automatically. Best practice is to summarize routes so they will not be used for sharing. To create a summary route, enter a route, remove the next hop key, then set the advertise value to “true”.
localRoutes:
useSharedSubnetInfo: true
advertiseLocalLanSubnets: false
advertiseLocalWanSubnets: false
localMetric: 50
redistToSDwanFabricRouteMap: "default_rtmap_to_subsh"
routes:
- routeIpSubnet: 10.14.48.0/21
interfaceName: lan0
metric: 50
advertise: true
advertiseToBgp: false
advertiseToOspf: false
tag: ANY
zone:
comment: Site summary route
Configuring the Redundant Site
The redundant site has all the configuration displayed above in addition to Edge HA, DHCP HA, VRRP, and IP SLAs . This section uses the Chicago branch site as an example for configuration. The IP ranges and inputs used for the Chicago branch site are shown below.
Input | Chicago-Branch |
---|---|
Appliance | CHIBR-ECE-1/CHIBR-ECE-2 |
Group | Branch |
Site Name | Chicago-Branch |
Contact Name | Aruba TME |
Contact Email | Aruba-solution-tme-licenses@hpe.com |
Address | 303 E Wacker Dr Suite 2700 |
City | Chicago |
State | Illinois |
Zip Code | 60601 |
VLAN ID | Label | FW Zone | Segment | CHIBR-ECE-1 IP Address | CHIBR-ECE-2 IP Address |
---|---|---|---|---|---|
100 | MGMT VLAN | LAN | Default | 10.14.32.2/24 | 10.14.32.3/24 |
101 | Employee | LAN | Default | 10.14.33.3/24 | 10.14.33.3/24 |
102 | Camera | LAN | Default | 10.14.34.3/24 | 10.14.34.3/24 |
103 | IOT | IOT | Default | 10.14.35.3/24 | 10.14.35.3/24 |
104 | Guest | Default | guest | 10.14.36.3/24 | 10.14.36.3/24 |
105 | Reject | LAN | Default | 10.14.37.3/24 | 10.14.37.3/24 |
106 | Critical | LAN | Default | 10.14.38.3/24 | 10.14.38.3/24 |
107 | Quarantine | Default | quarantine | 10.14.39.3/24 | 10.14.39.3/24 |
— | MPLS1 | WAN | Default | — | 100.100.7.50/29 (NH 100.100.7.49) |
— | INET1 | WAN | Default | DHCP | — |
Summary Address: 10.14.32.0/21
Default Gateway: A VRRP Virtual IP address of 10.14.X.1 for each VLAN.
Edge HA Settings
Edge HA enables a site to share WAN uplinks between one another using a dedicated LAN connection. When configuring Edge HA, check the following reconfiguration options:
Edge HA Configuration Location: The Edge HA configuration must be nested under the “deployment info” at the same level as the “deploymentInterfaces”.
UDP Port: The UDP Port must be unique for each Edge HA Peer.
WAN Interfaces: All WAN interfaces for both peers should be listed under haInterfaceOrder, separated by a comma.
Peer Information: Serial, Inbound/Outbound Bandwidth, and interface label values are required to configure the peer.
Chicago ECE 1 HA Configuration
deploymentInfo:
deploymentMode: inline-router
totalOutboundBandwidth: 25000
totalInboundBandwidth: 100000
shapeInboundTraffic: true
ipsecUdpPort: 12010
passThroughShapedTraffic:
outboundMaxBandwidth: 25000
deploymentInterfaces:
...
- interfaceName: lan1.107
interfaceLabel: QUARANTINE
interfaceType: lan
interfaceComment: lan interface
ipAddressMask: 10.14.39.2/24
segment: quarantine
- interfaceName: wan0
interfaceLabel: INET1
interfaceType: wan
interfaceComment: wan interface
ipAddressMask:
nextHop:
outboundMaxBandwidth: 100000
inboundMaxBandwidth: 25000
firewallMode: statefulSNAT
behindNat: auto
zone: WAN
haConfig:
haPeerSerial: 001BBC1E20C4
haIpPool: 169.254.1.0/24
haSubnetMask: 30
haVlanStart: 4000
haInterface: lan0
haInterfaceOrder: MPLS1,INET1
haPeerInterfaceInfo:
- interfaceLabel: MPLS1
outbound: 10000
inbound: 5000
segment: Default
zone: WAN
Chicago ECE 2 HA Configuration
deploymentInfo:
deploymentMode: inline-router
totalOutboundBandwidth: 25000
totalInboundBandwidth: 100000
shapeInboundTraffic: true
ipsecUdpPort: 12020
passThroughShapedTraffic:
outboundMaxBandwidth: 100000
...
- interfaceName: lan1.107
interfaceLabel: QUARANTINE
interfaceType: lan
interfaceComment: lan interface
ipAddressMask: 10.14.39.3/24
segment: quarantine
- interfaceName: wan1
interfaceLabel: MPLS1
interfaceType: wan
interfaceComment: wan interface
ipAddressMask: 100.100.7.50/29
nextHop: 100.100.7.49
outboundMaxBandwidth: 10000
inboundMaxBandwidth: 5000
firewallMode: statefulSNAT
behindNat: auto
zone: WAN
haConfig:
haPeerSerial: 001BBC1E164A
haIpPool: 169.254.1.0/24
haSubnetMask: 30
haVlanStart: 4000
haInterface: lan0
haInterfaceOrder: MPLS1,INET1
haPeerInterfaceInfo:
- interfaceLabel: INET1
outbound: 100000
inbound: 25000
segment: Default
zone:
DHCP HA Settings
DHCP HA allows one of the gateways to take over as a DHCP server in case of failure. This should be configured in the same stanza as the “dhcpInfo” stanza. Use the management IPs for each gateway as the source/destination IP addresses. The example below shows the configuration for CHI-ECE-1. The IP address and peer IP address fields should be swapped on CHI-ECE-2.
dhcpInfo:
....
- dhcpInterfaceName: lan1.106
dhcpType: server
dhcpAddressMask: 10.14.38.0/24
startIpAddress: 10.14.38.10
endIpAddress: 10.14.38.200
gatewayIpAddress: 10.14.38.1
dnsServers:
- 8.8.4.4
- 8.8.8.8
maximumLease: 24
defaultLease: 24
- dhcpInterfaceName: lan1.107
dhcpType: relay
dhcpProxyServers:
- 10.2.120.99
- 10.2.120.98
dhcpHA:
dhcpFailoverRole: primary
ipAddress: 10.14.32.2
ipAddressPort: 647
peerIpAddress: 10.14.32.3
peerIpAddressPort: 647
mclt: 3600
split: 128
maxResponseDelay: 10
maxUnackedUpdates: 10
loadBalanceMaxSeconds: 5
VRRP Settings
The configuration for VRRP on the CHI-ECE-1 template is shown below. This configuration should be the the same on CHI-ECE-2, with the priority setting as the only difference. On CHI-ECE-2 the priority, should be lower than CHI-ECE-1.
Caution: Ensure that devices and Orchestrator are on the same major version. For example: 9.2 Orchestrator and appliance or 9.3 Orchestrator and appliance.
vrrp:
vrrpEntries:
- groupId: 100
interfaceName: lan1
admin: Up
virtualIpAddress: 10.14.32.1
advertisementTimer: 1
priority: 128
version: 2
preemption: true
holddownTimer: 60
- groupId: 101
interfaceName: lan1.101
admin: Up
virtualIpAddress: 10.14.33.1
advertisementTimer: 1
priority: 128
version: 2
preemption: true
holddownTimer: 60
- groupId: 102
interfaceName: lan1.102
admin: Up
virtualIpAddress: 10.14.34.1
advertisementTimer: 1
priority: 128
version: 2
preemption: true
holddownTimer: 60
- groupId: 103
interfaceName: lan1.103
admin: Up
virtualIpAddress: 10.14.35.1
advertisementTimer: 1
priority: 128
version: 2
preemption: true
holddownTimer: 60
- groupId: 104
interfaceName: lan1.104
admin: Up
virtualIpAddress: 10.14.36.1
advertisementTimer: 1
priority: 128
version: 2
preemption: true
holddownTimer: 60
- groupId: 105
interfaceName: lan1.105
admin: Up
virtualIpAddress: 10.14.37.1
advertisementTimer: 1
priority: 128
version: 2
preemption: true
holddownTimer: 60
- groupId: 106
interfaceName: lan1.106
admin: Up
virtualIpAddress: 10.14.38.1
advertisementTimer: 1
priority: 128
version: 2
preemption: true
holddownTimer: 60
- groupId: 107
interfaceName: lan1.107
admin: Up
virtualIpAddress: 10.14.39.1
advertisementTimer: 1
priority: 128
version: 2
preemption: true
holddownTimer: 60
VRRP IP SLA Settings
To enable VRRP to swap dynamically between the peers, a IP SLA must be configured. The following example shows how to configure a VRRP SLA that can automatically increase or decrease the priority if one of the gateways goes down. This configuration is the same on both devices.
ipSlaRule:
ruleEntries:
- enable: true
samplingInterval: 30
comment: vrrp monitor
ipslaMonitor:
monitorType: vrrp
interfaceName: lan1
downAction:
downActionType: decreaseVRRPPriority
interfaceName: lan1
priority: 100
upAction:
upActionType: increaseVRRPPriority
interfaceName: lan1
priority: 100
- enable: true
samplingInterval: 30
comment: vrrp monitor
ipslaMonitor:
monitorType: vrrp
interfaceName: lan1.101
downAction:
downActionType: decreaseVRRPPriority
interfaceName: lan1.101
priority: 100
upAction:
upActionType: increaseVRRPPriority
interfaceName: lan1.101
priority: 100
- enable: true
samplingInterval: 30
comment: vrrp monitor
ipslaMonitor:
monitorType: vrrp
interfaceName: lan1.102
downAction:
downActionType: decreaseVRRPPriority
interfaceName: lan1.102
priority: 100
upAction:
upActionType: increaseVRRPPriority
interfaceName: lan1.102
priority: 100
- enable: true
samplingInterval: 30
comment: vrrp monitor
ipslaMonitor:
monitorType: vrrp
interfaceName: lan1.103
downAction:
downActionType: decreaseVRRPPriority
interfaceName: lan1.103
priority: 100
upAction:
upActionType: increaseVRRPPriority
interfaceName: lan1.103
priority: 100
- enable: true
samplingInterval: 30
comment: vrrp monitor
ipslaMonitor:
monitorType: vrrp
interfaceName: lan1.104
downAction:
downActionType: decreaseVRRPPriority
interfaceName: lan1.104
priority: 100
upAction:
upActionType: increaseVRRPPriority
interfaceName: lan1.104
priority: 100
- enable: true
samplingInterval: 30
comment: vrrp monitor
ipslaMonitor:
monitorType: vrrp
interfaceName: lan1.105
downAction:
downActionType: decreaseVRRPPriority
interfaceName: lan1.105
priority: 100
upAction:
upActionType: increaseVRRPPriority
interfaceName: lan1.105
priority: 100
- enable: true
samplingInterval: 30
comment: vrrp monitor
ipslaMonitor:
monitorType: vrrp
interfaceName: lan1.106
downAction:
downActionType: decreaseVRRPPriority
interfaceName: lan1.106
priority: 100
upAction:
upActionType: increaseVRRPPriority
interfaceName: lan1.106
priority: 100
- enable: true
samplingInterval: 30
comment: vrrp monitor
ipslaMonitor:
monitorType: vrrp
interfaceName: lan1.107
downAction:
downActionType: decreaseVRRPPriority
interfaceName: lan1.107
priority: 100
upAction:
upActionType: increaseVRRPPriority
interfaceName: lan1.107
priority: 100
Applying the Configuration
In the previous sections, the configuration files were built for both the redundant and non-redundant sites. This section demonstrate how to load the configuration files into Orchestrator. These configuration files are used as a starting point for future gateways.
Loading Configuration
Orchestrator does not allow for placeholder configuration, so these files cannot be used as a “template”; however, the created configuration files can be used as a starting point for new devices by leaving the “Serial” field empty, indicating that the configuration does not apply to a device.
Step 1 Go to Configuration > Preconfigure Appliances.
Step 2 Click the New button on the top left.
Step 3 Erase the example configuration on the left side.
Step 4 Copy the “Standalone Boise” configuration into the window.
Step 5 Enter the name: Non_Redundant_Site.
Step 6 Repeat Steps 2 to 5 for the other configurations using the following names.
- Name: Internet_Only_Redundant_Site
- Name: MPLS_Only_Redundant_Site
Linking the Configuration to Gateways
After the configuration files are loaded, follow these steps to use them as a starting point for other gateways. In the previous step, the files were loaded but the Serial field was left blank.
The procedure below clones the starting file and uses the serial field to link devices to a configuration. The starting configuration files do not require changes since they were made for the devices to be onboarded. However, if another branch is introduced, these files should be adjusted for that device.
Step 1 Select the Non_Redundant_Site.
Step 2 Click the Clone From Existing button.
Step 3 Enter the device name
Name: BOIBR-ECE1
Step 4 Enter the serial of the gateway Serial: 001BBC1E1656
Step 5 Repeat Steps 1 to 4 entering the appropriate information for each gateway.
Note: The Auto Approve when Discovered checkbox can be checked, depending on the workflow for an organization.
Discover Gateways and Apply Configuration
This section demonstrates how the configuration is applied to a device after it has been discovered.
Step 1 Click Appliances Discovered on the top right.
Step 2 In the list of appliances, click Approve.
Step 3 Click Skip in the upgrade window.
Step 4 Click Apply Pre-configuration.
Step 5 Click Close.
Step 6 Repeat Steps 2 to 5 for the other appliances.
Verification
Ensure tunnels are up, Navigate to Configuration> Tunnels.
Ensure that the configuration is accurate, right click newly onboarded gateway and select deployment.